From 9ddd05216f0b2e0a1453ed8608c99164b5dd2f41 Mon Sep 17 00:00:00 2001
From: Kyle Baran <kbaran@bitscoop.com>
Date: Wed, 28 Feb 2024 17:50:51 -0800
Subject: [PATCH] Some cleanup and fixes

---
 .../src/user/services/AuthService.ts          | 107 ++++++++----------
 .../public/root-cookie-accessor-template.html |   2 +
 .../allowed-domains/allowed-domains.hooks.ts  |   2 +-
 3 files changed, 52 insertions(+), 59 deletions(-)

diff --git a/packages/client-core/src/user/services/AuthService.ts b/packages/client-core/src/user/services/AuthService.ts
index 77499d280a..eab61984e9 100755
--- a/packages/client-core/src/user/services/AuthService.ts
+++ b/packages/client-core/src/user/services/AuthService.ts
@@ -127,6 +127,33 @@ const resolveWalletUser = (credentials: any): UserType => {
   }
 }
 
+const waitForToken = async(win, clientUrl): Promise<string> => {
+  return new Promise(resolve => {
+    console.log('waitForToken')
+    win.postMessage(JSON.stringify({
+      key: `${stateNamespaceKey}.AuthState.authUser`,
+      method: "get"
+    }), clientUrl);
+    const getIframeResponse = function (e) {
+      console.log('got message from iframe for getIframeResponse', e, e?.data)
+      if (e.origin !== clientUrl) return
+      if (e?.data) {
+        try {
+          const value = JSON.parse(e.data)
+          console.log('value', value)
+          if (value?.accessToken != null) {
+            console.log('accessToken exists')
+            window.removeEventListener('message', getIframeResponse)
+            resolve(value?.accessToken)
+          }
+        } catch {
+          resolve('')
+        }
+      } else resolve(e)
+    }
+    window.addEventListener('message', getIframeResponse)
+  })
+}
 
 
 const getToken = async(): Promise<string> => {
@@ -139,6 +166,21 @@ const getToken = async(): Promise<string> => {
     win = iframe!.contentWindow;
   }
 
+  window.addEventListener('message', (e) => {
+    if (e?.data) {
+      try {
+        const value = JSON.parse(e.data)
+        console.log('value', value)
+        if (value?.invalidDomain != null) {
+          console.log('invalid Domain')
+          localStorage.setItem('invalidCrossOriginDomain', 'true')
+        }
+      } catch(err) {
+        //
+      }
+    }
+  })
+
   console.log('app host', `https://${process.env.VITE_APP_HOST}`)
   console.log('posting checkAccess', config.client.clientUrl)
   const clientUrl = config.client.clientUrl
@@ -170,25 +212,12 @@ const getToken = async(): Promise<string> => {
   })
   console.log('hasAccess', hasAccess)
   console.log('retrieving token from root storage')
-  if (!hasAccess.cookieSet) {
-    console.log('cookieSet is null')
-    const skipCheck = localStorage.getItem('skipCrossOriginCookieCheck')
-    console.log('skipCheck', skipCheck)
-    if (skipCheck === 'true') {
-      console.log('JORTS')
-      const authState = getMutableState(AuthState)
-      const accessToken = authState?.authUser?.accessToken?.value
-      return Promise.resolve(accessToken?.length > 0 ? accessToken : null)
-    } //else window.location.href = `${clientUrl}/main-site-cookie-acknowledgment.html?redirect=${window.location}`
-    else {
-      iframe.style.display = 'block'
-    }
-  }
-  else if (!hasAccess.hasStorageAccess) {
+  if (!hasAccess.cookieSet || !hasAccess.hasStorageAccess) {
     console.log('does not have storage access')
     const skipCheck = localStorage.getItem('skipCrossOriginCookieCheck')
+    const invalidCrossOriginDomain = localStorage.getItem('invalidCrossOriginDomain')
     console.log('skipCheck', skipCheck)
-    if (skipCheck === 'true') {
+    if (skipCheck === 'true' || invalidCrossOriginDomain === 'true') {
       console.log('SHORTS')
       const authState = getMutableState(AuthState)
       const accessToken = authState?.authUser?.accessToken?.value
@@ -213,27 +242,9 @@ const getToken = async(): Promise<string> => {
                 if (!e.data) resolve({ hasStorageAccess: false, cookieSet: false })
                 const data = JSON.parse(e.data)
                 console.log('data', data)
-                win.postMessage(JSON.stringify({
-                  key: `${stateNamespaceKey}.AuthState.authUser`,
-                  method: "get"
-                }), clientUrl);
-                return await new Promise(resolve => {
-                  const getIframeResponse = function (e) {
-                    console.log('got message from iframe for getIframeResponse', e, e?.data)
-                    window.removeEventListener('message', getIframeResponse)
-                    if (e.origin !== clientUrl) return
-                    if (e?.data) {
-                      try {
-                        const value = JSON.parse(e.data)
-                        console.log('value', value)
-                        resolve(value?.accessToken)
-                      } catch {
-                        resolve(null)
-                      }
-                    } else resolve(e)
-                  }
-                  window.addEventListener('message', getIframeResponse)
-                })
+                console.log('Waiting for token after click')
+                const token = await waitForToken(win, clientUrl)
+                resolve(token)
               }
               window.addEventListener('message', hasAccessListener)
             }
@@ -245,27 +256,7 @@ const getToken = async(): Promise<string> => {
       })
     }
   } else {
-    win.postMessage(JSON.stringify({
-      key: `${stateNamespaceKey}.AuthState.authUser`,
-      method: "get"
-    }), clientUrl);
-    return await new Promise(resolve => {
-      const getIframeResponse = function (e) {
-        console.log('got message from iframe for getIframeResponse', e, e?.data)
-        window.removeEventListener('message', getIframeResponse)
-        if (e.origin !== clientUrl) return
-        if (e?.data) {
-          try {
-            const value = JSON.parse(e.data)
-            console.log('value', value)
-            resolve(value?.accessToken)
-          } catch {
-            resolve(null)
-          }
-        } else resolve(e)
-      }
-      window.addEventListener('message', getIframeResponse)
-    })
+    return waitForToken(win, clientUrl)
   }
 }
 
diff --git a/packages/client/public/root-cookie-accessor-template.html b/packages/client/public/root-cookie-accessor-template.html
index 7aee8f95ee..48f8d51b37 100644
--- a/packages/client/public/root-cookie-accessor-template.html
+++ b/packages/client/public/root-cookie-accessor-template.html
@@ -97,6 +97,8 @@
                         document.cookie = `allowedDomains=${JSON.stringify(allowedDomains)}; SameSite=None; Secure`
                         await processMessage(e)
                     }
+                } else {
+                    parent.postMessage(JSON.stringify({ invalidDomain: true }), e.origin)
                 }
             }
         }
diff --git a/packages/server-core/src/networking/allowed-domains/allowed-domains.hooks.ts b/packages/server-core/src/networking/allowed-domains/allowed-domains.hooks.ts
index f23bdaeecc..c78f4fa8f4 100755
--- a/packages/server-core/src/networking/allowed-domains/allowed-domains.hooks.ts
+++ b/packages/server-core/src/networking/allowed-domains/allowed-domains.hooks.ts
@@ -40,7 +40,7 @@ const checkDomain = async (context: HookContext<AllowedDomainsService>) => {
   console.log('domainToCheck', domainToCheck)
   const additionalDomains = params.additionalDomains
   console.log('additionalDomains', additionalDomains)
-  let allowedDomains = [`https://${appConfig.server.clientHost}`, 'https://api-local.etherealengine.com:3000', 'https://local.etherealengine.com:3000']
+  let allowedDomains = [`https://${appConfig.server.clientHost}`, 'https://cool.pants.com', 'https://hot.pants.com']
   console.log('initial allowedDomains', allowedDomains)
 
   if (additionalDomains && Array.isArray(additionalDomains))