fix: remove resume on browser refresh to avoid exposing sessionId

- Temporarily removing the feature which allows users to resume on browser refresh - The implementation exposed the sessionId which has security implications - Removed the code for the feature and accompanying test
theopensystemslab · Nov 27, 2023 · 067fe7d · 067fe7d
1 parent 8f42ff4
commit 067fe7d
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 36 deletions.
diff --git a/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx b/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx
@@ -1,5 +1,5 @@
 import Button from "@mui/material/Button";
-import { act, screen, waitFor } from "@testing-library/react";
+import { act, screen } from "@testing-library/react";
 import { FullStore, vanillaStore } from "pages/FlowEditor/lib/store";
 import React from "react";
 import { axe, setup } from "testUtils";
@@ -66,31 +66,6 @@ describe("Save and Return component", () => {
     const results = await axe(container);
     expect(results).toHaveNoViolations();
   });
-
-  it("stores the sessionId as part of the URL once an email has been submitted", async () => {
-    const children = <Button>Testing 123</Button>;
-    const { user } = setup(<SaveAndReturn children={children}></SaveAndReturn>);
-
-    const sessionId = getState().sessionId;
-    expect(sessionId).toBeDefined();
-
-    await user.type(screen.getByLabelText("Email address"), "[email protected]");
-    await user.type(
-      screen.getByLabelText("Confirm email address"),
-      "[email protected]",
-    );
-
-    expect(window.location.href).not.toContain("sessionId");
-    expect(window.location.href).not.toContain(sessionId);
-
-    await user.click(screen.getByTestId("continue-button"));
-
-    await waitFor(() => {
-      expect(screen.getByText("Testing 123")).toBeInTheDocument();
-    });
-
-    expect(window.location.href).toContain(`sessionId=${sessionId}`);
-  });
 });
 
 describe("ConfirmEmail component", () => {

diff --git a/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx b/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx
@@ -84,20 +84,10 @@ const SaveAndReturn: React.FC<{ children: React.ReactNode }> = ({
   children,
 }) => {
   const isEmailCaptured = Boolean(useStore((state) => state.saveToEmail));
-  const sessionId = useStore((state) => state.sessionId);
   const isContentPage = useCurrentRoute()?.data?.isContentPage;
 
-  // Setting the URL search param "sessionId" will route the user to ApplicationPath.Resume
-  // Without this the user will need to click the magic link in their email after a refresh
-  const allowResumeOnBrowserRefresh = () => {
-    const url = new URL(window.location.href);
-    url.searchParams.set("sessionId", sessionId);
-    window.history.pushState({}, document.title, url);
-  };
-
   const handleSubmit = (email: string) => {
     useStore.setState({ saveToEmail: email });
-    allowResumeOnBrowserRefresh();
   };
 
   return (