From fcc4df227e74eb399d496b3bb14e69a1617f4512 Mon Sep 17 00:00:00 2001 From: Mike Heneghan Date: Mon, 27 Nov 2023 15:53:44 +0000 Subject: [PATCH] fix: on loading a magic resume link and reading sessionId remove it from the url - Exposing the sessionId has security implications - The sessionId and the user email are required to successfully resume their session - Read the sessionId but then immediately remove it from the url. - This means it's barely visible and not dispalyed for the rest of the session --- editor.planx.uk/src/pages/Preview/ResumePage.tsx | 10 +++++++++- editor.planx.uk/src/utils.ts | 6 ++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/editor.planx.uk/src/pages/Preview/ResumePage.tsx b/editor.planx.uk/src/pages/Preview/ResumePage.tsx index 370d0501a6..6edda24386 100644 --- a/editor.planx.uk/src/pages/Preview/ResumePage.tsx +++ b/editor.planx.uk/src/pages/Preview/ResumePage.tsx @@ -16,6 +16,7 @@ import { ApplicationPath, SendEmailPayload } from "types"; import Input from "ui/Input"; import InputLabel from "ui/InputLabel"; import InputRow from "ui/InputRow"; +import { removeSessionIdSearchParamWithoutReloading } from "utils"; import { object, string } from "yup"; import ReconciliationPage from "./ReconciliationPage"; @@ -215,7 +216,14 @@ const ResumePage: React.FC = () => { getInitialEmailValue(route.url.query.email), ); const [paymentRequest, setPaymentRequest] = useState(); - const sessionId = useCurrentRoute().url.query.sessionId; + + // Read the sessionId from the url to validate against + const sessionId = route.url.query.sessionId; + + // As the sessionId has been extracted it can now be removed to avoid + // unnecessarily exposing it + removeSessionIdSearchParamWithoutReloading(); + const [reconciliationResponse, setReconciliationResponse] = useState(); diff --git a/editor.planx.uk/src/utils.ts b/editor.planx.uk/src/utils.ts index 754cc1902f..edf1aa191c 100644 --- a/editor.planx.uk/src/utils.ts +++ b/editor.planx.uk/src/utils.ts @@ -62,3 +62,9 @@ export const removeSessionIdSearchParam = () => { window.history.pushState({}, document.title, currentURL); window.location.reload(); }; + +export const removeSessionIdSearchParamWithoutReloading = () => { + const currentURL = new URL(window.location.href); + currentURL.searchParams.delete("sessionId"); + window.history.replaceState({}, document.title, currentURL); +};