diff --git a/editor.planx.uk/src/pages/Preview/ResumePage.tsx b/editor.planx.uk/src/pages/Preview/ResumePage.tsx index 370d0501a6..6edda24386 100644 --- a/editor.planx.uk/src/pages/Preview/ResumePage.tsx +++ b/editor.planx.uk/src/pages/Preview/ResumePage.tsx @@ -16,6 +16,7 @@ import { ApplicationPath, SendEmailPayload } from "types"; import Input from "ui/Input"; import InputLabel from "ui/InputLabel"; import InputRow from "ui/InputRow"; +import { removeSessionIdSearchParamWithoutReloading } from "utils"; import { object, string } from "yup"; import ReconciliationPage from "./ReconciliationPage"; @@ -215,7 +216,14 @@ const ResumePage: React.FC = () => { getInitialEmailValue(route.url.query.email), ); const [paymentRequest, setPaymentRequest] = useState(); - const sessionId = useCurrentRoute().url.query.sessionId; + + // Read the sessionId from the url to validate against + const sessionId = route.url.query.sessionId; + + // As the sessionId has been extracted it can now be removed to avoid + // unnecessarily exposing it + removeSessionIdSearchParamWithoutReloading(); + const [reconciliationResponse, setReconciliationResponse] = useState(); diff --git a/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx b/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx index 87a154a4c6..6c3e5bd5ac 100644 --- a/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx +++ b/editor.planx.uk/src/pages/Preview/SaveAndReturn.test.tsx @@ -67,7 +67,7 @@ describe("Save and Return component", () => { expect(results).toHaveNoViolations(); }); - it("stores the sessionId as part of the URL once an email has been submitted", async () => { + it("does not store the sessionId as part of the URL once an email has been submitted", async () => { const children = ; const { user } = setup(); @@ -89,7 +89,7 @@ describe("Save and Return component", () => { expect(screen.getByText("Testing 123")).toBeInTheDocument(); }); - expect(window.location.href).toContain(`sessionId=${sessionId}`); + expect(window.location.href).not.toContain(`sessionId=${sessionId}`); }); }); diff --git a/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx b/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx index 431c52d5a1..eaab65c3a4 100644 --- a/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx +++ b/editor.planx.uk/src/pages/Preview/SaveAndReturn.tsx @@ -84,20 +84,10 @@ const SaveAndReturn: React.FC<{ children: React.ReactNode }> = ({ children, }) => { const isEmailCaptured = Boolean(useStore((state) => state.saveToEmail)); - const sessionId = useStore((state) => state.sessionId); const isContentPage = useCurrentRoute()?.data?.isContentPage; - // Setting the URL search param "sessionId" will route the user to ApplicationPath.Resume - // Without this the user will need to click the magic link in their email after a refresh - const allowResumeOnBrowserRefresh = () => { - const url = new URL(window.location.href); - url.searchParams.set("sessionId", sessionId); - window.history.pushState({}, document.title, url); - }; - const handleSubmit = (email: string) => { useStore.setState({ saveToEmail: email }); - allowResumeOnBrowserRefresh(); }; return ( diff --git a/editor.planx.uk/src/utils.ts b/editor.planx.uk/src/utils.ts index 754cc1902f..edf1aa191c 100644 --- a/editor.planx.uk/src/utils.ts +++ b/editor.planx.uk/src/utils.ts @@ -62,3 +62,9 @@ export const removeSessionIdSearchParam = () => { window.history.pushState({}, document.title, currentURL); window.location.reload(); }; + +export const removeSessionIdSearchParamWithoutReloading = () => { + const currentURL = new URL(window.location.href); + currentURL.searchParams.delete("sessionId"); + window.history.replaceState({}, document.title, currentURL); +};