Prechádzať zdrojové kódy

feat: passkeys flow redir check

httpjamesm 1 rok pred
rodič
commit
d62de0c193

+ 18 - 4
apps/accounts/src/pages/passkeys/flow/index.tsx

@@ -23,8 +23,25 @@ const PasskeysFlow = () => {
     const [loading, setLoading] = useState(true);
     const [loading, setLoading] = useState(true);
 
 
     const init = async () => {
     const init = async () => {
-        // get passkeySessionID from the query params
         const searchParams = new URLSearchParams(window.location.search);
         const searchParams = new URLSearchParams(window.location.search);
+
+        // get redirect from the query params
+        const redirect = searchParams.get('redirect');
+
+        if (!redirect) {
+            setErrored(true);
+            return;
+        }
+
+        const redirectURL = new URL(redirect);
+        if (process.env.NEXT_PUBLIC_DISABLE_REDIRECT_CHECK !== 'true') {
+            if (!redirectURL.host.endsWith('ente.io')) {
+                setErrored(true);
+                return;
+            }
+        }
+
+        // get passkeySessionID from the query params
         const passkeySessionID = searchParams.get('passkeySessionID');
         const passkeySessionID = searchParams.get('passkeySessionID');
 
 
         setLoading(true);
         setLoading(true);
@@ -83,9 +100,6 @@ const PasskeysFlow = () => {
 
 
         const encodedResponse = _sodium.to_base64(JSON.stringify(finishData));
         const encodedResponse = _sodium.to_base64(JSON.stringify(finishData));
 
 
-        // get redirect from the query params
-        const redirect = searchParams.get('redirect');
-
         window.location.href = `${redirect}?response=${encodedResponse}`;
         window.location.href = `${redirect}?response=${encodedResponse}`;
     };
     };