From 067fe7d20679d6b4c7944adced0abd55b6e9cf16 Mon Sep 17 00:00:00 2001
From: Mike Heneghan <mike@opensystemslab.io>
Date: Mon, 27 Nov 2023 14:32:49 +0000
Subject: [PATCH] fix: remove resume on browser refresh to avoid exposing
 sessionId

- Temporarily removing the feature which allows users to resume on browser refresh
- The implementation exposed the sessionId which has security implications
- Removed the code for the feature and accompanying test
---
 .../src/pages/Preview/SaveAndReturn.test.tsx  | 27 +------------------
 .../src/pages/Preview/SaveAndReturn.tsx       | 10 -------
 2 files changed, 1 insertion(+), 36 deletions(-)

diff --git a/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx b/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx
index 87a154a4c6..57ea47dd5e 100644
--- a/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx
+++ b/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx
@@ -1,5 +1,5 @@
 import Button from "@mui/material/Button";
-import { act, screen, waitFor } from "@testing-library/react";
+import { act, screen } from "@testing-library/react";
 import { FullStore, vanillaStore } from "pages/FlowEditor/lib/store";
 import React from "react";
 import { axe, setup } from "testUtils";
@@ -66,31 +66,6 @@ describe("Save and Return component", () => {
     const results = await axe(container);
     expect(results).toHaveNoViolations();
   });
-
-  it("stores the sessionId as part of the URL once an email has been submitted", async () => {
-    const children = <Button>Testing 123</Button>;
-    const { user } = setup(<SaveAndReturn children={children}></SaveAndReturn>);
-
-    const sessionId = getState().sessionId;
-    expect(sessionId).toBeDefined();
-
-    await user.type(screen.getByLabelText("Email address"), "test@test.com");
-    await user.type(
-      screen.getByLabelText("Confirm email address"),
-      "test@test.com",
-    );
-
-    expect(window.location.href).not.toContain("sessionId");
-    expect(window.location.href).not.toContain(sessionId);
-
-    await user.click(screen.getByTestId("continue-button"));
-
-    await waitFor(() => {
-      expect(screen.getByText("Testing 123")).toBeInTheDocument();
-    });
-
-    expect(window.location.href).toContain(`sessionId=${sessionId}`);
-  });
 });
 
 describe("ConfirmEmail component", () => {
diff --git a/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx b/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx
index 431c52d5a1..eaab65c3a4 100644
--- a/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx
+++ b/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx
@@ -84,20 +84,10 @@ const SaveAndReturn: React.FC<{ children: React.ReactNode }> = ({
   children,
 }) => {
   const isEmailCaptured = Boolean(useStore((state) => state.saveToEmail));
-  const sessionId = useStore((state) => state.sessionId);
   const isContentPage = useCurrentRoute()?.data?.isContentPage;
 
-  // Setting the URL search param "sessionId" will route the user to ApplicationPath.Resume
-  // Without this the user will need to click the magic link in their email after a refresh
-  const allowResumeOnBrowserRefresh = () => {
-    const url = new URL(window.location.href);
-    url.searchParams.set("sessionId", sessionId);
-    window.history.pushState({}, document.title, url);
-  };
-
   const handleSubmit = (email: string) => {
     useStore.setState({ saveToEmail: email });
-    allowResumeOnBrowserRefresh();
   };
 
   return (