From ea49921bb3e473efdc5a62fb25d3f7a21890d056 Mon Sep 17 00:00:00 2001 From: Abby Wheelis Date: Tue, 24 Oct 2023 14:10:51 -0600 Subject: [PATCH 1/4] add more url checks we need to make sure that nobody scans a random qr code and gets into the app with an invalid token, we can help prevent that by checking that the qr code contains the right elements --- www/js/onboarding/WelcomePage.tsx | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/www/js/onboarding/WelcomePage.tsx b/www/js/onboarding/WelcomePage.tsx index 3589923c8..a6df7f2ee 100644 --- a/www/js/onboarding/WelcomePage.tsx +++ b/www/js/onboarding/WelcomePage.tsx @@ -20,12 +20,25 @@ const WelcomePage = () => { const [infoPopupVis, setInfoPopupVis] = useState(false); const [existingToken, setExistingToken] = useState(''); + const checkURL = function (result) { + let notCancelled = result.cancelled == false; + let isQR = result.format == "QR_CODE"; + let hasPrefix = false; + if (__DEV__) { + hasPrefix = result.text.startsWith("emission"); + } else { + hasPrefix = result.text.startsWith("nrelopenpath"); + } + let hasToken = result.text.includes("login_token?token"); + + return notCancelled && isQR && hasPrefix && hasToken; + } + const scanCode = function() { - window.cordova.plugins.barcodeScanner.scan( + window['cordova'].plugins.barcodeScanner.scan( function (result) { console.debug("scanned code", result); - if (result.format == "QR_CODE" && - result.cancelled == false) { + if (checkURL(result)) { let text = result.text.split("=")[1]; console.log("found code", text); loginWithToken(text); From 5da390968328cd493c46ba10c67b30fb703f7ff4 Mon Sep 17 00:00:00 2001 From: Abby Wheelis Date: Tue, 24 Oct 2023 17:21:03 -0600 Subject: [PATCH 2/4] updates to check code added a log statement, and verifying that the first part of the opcode is "nrelopenpath" or "emission" -- the staging opcodes start with "emission", but sometimes we use production opcodes to test things in develpoment --- www/js/onboarding/WelcomePage.tsx | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/www/js/onboarding/WelcomePage.tsx b/www/js/onboarding/WelcomePage.tsx index a6df7f2ee..cd3734059 100644 --- a/www/js/onboarding/WelcomePage.tsx +++ b/www/js/onboarding/WelcomePage.tsx @@ -5,7 +5,7 @@ import { Button, Dialog, Divider, IconButton, Surface, Text, TextInput, Touchabl import color from 'color'; import { initByUser } from '../config/dynamicConfig'; import { AppContext } from '../App'; -import { displayError } from "../plugin/logger"; +import { displayError, logDebug } from "../plugin/logger"; import { onboardingStyles } from './OnboardingStack'; import { Icon } from '../components/Icon'; @@ -23,14 +23,11 @@ const WelcomePage = () => { const checkURL = function (result) { let notCancelled = result.cancelled == false; let isQR = result.format == "QR_CODE"; - let hasPrefix = false; - if (__DEV__) { - hasPrefix = result.text.startsWith("emission"); - } else { - hasPrefix = result.text.startsWith("nrelopenpath"); - } + let hasPrefix = result.text.split(":")[0] == "nrelopenpath" || result.text.split(":")[0] == "emission"; let hasToken = result.text.includes("login_token?token"); + logDebug("QR code " + result.text + " checks: cancel, format, prefix, params " + notCancelled + isQR + hasPrefix + hasToken); + return notCancelled && isQR && hasPrefix && hasToken; } From 636051936971075d7b5179e5919ad7b234866b72 Mon Sep 17 00:00:00 2001 From: Abby Wheelis Date: Tue, 24 Oct 2023 17:51:28 -0600 Subject: [PATCH 3/4] Update QrCode.tsx make sure qr code is made with the whole url link --- www/js/components/QrCode.tsx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/www/js/components/QrCode.tsx b/www/js/components/QrCode.tsx index edd120c22..0499b4c46 100644 --- a/www/js/components/QrCode.tsx +++ b/www/js/components/QrCode.tsx @@ -35,6 +35,11 @@ export function shareQR(message) { } const QrCode = ({ value, ...rest }) => { + let hasLink = value.toString().includes("//"); + if(!hasLink) { + value = "nrelopenpath://login_token?token=" + value; + } + return ; }; From 2d930f881041211c59c34011b815b58b03370f3e Mon Sep 17 00:00:00 2001 From: "K. Shankari" Date: Tue, 24 Oct 2023 20:00:06 -0700 Subject: [PATCH 4/4] Use only `emission` externally Long term, this should be part of the app config https://github.com/e-mission/e-mission-docs/issues/985#issuecomment-1769790309 --- www/js/components/QrCode.tsx | 2 +- www/js/onboarding/WelcomePage.tsx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/www/js/components/QrCode.tsx b/www/js/components/QrCode.tsx index 0499b4c46..74c66863f 100644 --- a/www/js/components/QrCode.tsx +++ b/www/js/components/QrCode.tsx @@ -37,7 +37,7 @@ export function shareQR(message) { const QrCode = ({ value, ...rest }) => { let hasLink = value.toString().includes("//"); if(!hasLink) { - value = "nrelopenpath://login_token?token=" + value; + value = "emission://login_token?token=" + value; } return ; diff --git a/www/js/onboarding/WelcomePage.tsx b/www/js/onboarding/WelcomePage.tsx index cd3734059..5653218d7 100644 --- a/www/js/onboarding/WelcomePage.tsx +++ b/www/js/onboarding/WelcomePage.tsx @@ -23,7 +23,7 @@ const WelcomePage = () => { const checkURL = function (result) { let notCancelled = result.cancelled == false; let isQR = result.format == "QR_CODE"; - let hasPrefix = result.text.split(":")[0] == "nrelopenpath" || result.text.split(":")[0] == "emission"; + let hasPrefix = result.text.split(":")[0] == "emission"; let hasToken = result.text.includes("login_token?token"); logDebug("QR code " + result.text + " checks: cancel, format, prefix, params " + notCancelled + isQR + hasPrefix + hasToken);