From 1aa48dac080574c0d33126fd06f25879f441e228 Mon Sep 17 00:00:00 2001 From: Desu Sai Venkat <48179357+desusai7@users.noreply.github.com> Date: Wed, 8 May 2024 16:04:53 +0530 Subject: [PATCH] fix: removed the possibility of concurrent webauth transactions to handle continuation misuse (#848) --- Auth0/Auth0WebAuth.swift | 10 ++++++++++ Auth0/AuthenticationError.swift | 2 +- Auth0/WebAuthError.swift | 3 +++ Auth0Tests/WebAuthErrorSpec.swift | 7 +++++++ Auth0Tests/WebAuthSpec.swift | 2 ++ 5 files changed, 23 insertions(+), 1 deletion(-) diff --git a/Auth0/Auth0WebAuth.swift b/Auth0/Auth0WebAuth.swift index f211a38f..752b93dd 100644 --- a/Auth0/Auth0WebAuth.swift +++ b/Auth0/Auth0WebAuth.swift @@ -158,6 +158,11 @@ final class Auth0WebAuth: WebAuth { } func start(_ callback: @escaping (WebAuthResult) -> Void) { + + if self.storage.current != nil { + return callback(.failure(WebAuthError(code: .transactionActiveAlready))) + } + guard let redirectURL = self.redirectURL else { return callback(.failure(WebAuthError(code: .noBundleIdentifier))) } @@ -207,6 +212,11 @@ final class Auth0WebAuth: WebAuth { } func clearSession(federated: Bool, callback: @escaping (WebAuthResult) -> Void) { + + if self.storage.current != nil { + return callback(.failure(WebAuthError(code: .transactionActiveAlready))) + } + let endpoint = federated ? URL(string: "v2/logout?federated", relativeTo: self.url)! : URL(string: "v2/logout", relativeTo: self.url)! diff --git a/Auth0/AuthenticationError.swift b/Auth0/AuthenticationError.swift index 66b24c15..bfe09b1d 100644 --- a/Auth0/AuthenticationError.swift +++ b/Auth0/AuthenticationError.swift @@ -184,7 +184,7 @@ extension AuthenticationError { return "Received error with code \(self.code)." } - + } // MARK: - Equatable diff --git a/Auth0/WebAuthError.swift b/Auth0/WebAuthError.swift index 9be4a9af..7552261d 100644 --- a/Auth0/WebAuthError.swift +++ b/Auth0/WebAuthError.swift @@ -6,6 +6,7 @@ public struct WebAuthError: Auth0Error { enum Code: Equatable { case noBundleIdentifier + case transactionActiveAlready case invalidInvitationURL(String) case userCancelled case noAuthorizationCode([String: String]) @@ -79,6 +80,8 @@ extension WebAuthError { switch self.code { case .noBundleIdentifier: return "Unable to retrieve the bundle identifier from Bundle.main.bundleIdentifier," + " or it could not be used to build a valid URL." + case .transactionActiveAlready: return "Failed to start this transaction, as there is an active transaction at the" + + " moment." case .invalidInvitationURL(let url): return "The invitation URL (\(url)) is missing the 'invitation' and/or" + " the 'organization' query parameters." case .userCancelled: return "The user cancelled the Web Auth operation." diff --git a/Auth0Tests/WebAuthErrorSpec.swift b/Auth0Tests/WebAuthErrorSpec.swift index 4e3c31f1..782ae3ba 100644 --- a/Auth0Tests/WebAuthErrorSpec.swift +++ b/Auth0Tests/WebAuthErrorSpec.swift @@ -86,6 +86,13 @@ class WebAuthErrorSpec: QuickSpec { expect(error.localizedDescription) == message } + it("should return message for transaction active already") { + let message = "Failed to start this transaction, as there is an active transaction at the" + + " moment." + let error = WebAuthError(code: .transactionActiveAlready) + expect(error.localizedDescription) == message + } + it("should return message for invalid invitation URL") { let url = "https://samples.auth0.com" let message = "The invitation URL (\(url)) is missing the 'invitation' and/or" diff --git a/Auth0Tests/WebAuthSpec.swift b/Auth0Tests/WebAuthSpec.swift index cfe8f094..54b6e362 100644 --- a/Auth0Tests/WebAuthSpec.swift +++ b/Auth0Tests/WebAuthSpec.swift @@ -475,6 +475,7 @@ class WebAuthSpec: QuickSpec { beforeEach { auth = newWebAuth() + TransactionStore.shared.clear() } it("should start the supplied provider") { @@ -600,6 +601,7 @@ class WebAuthSpec: QuickSpec { beforeEach { auth = newWebAuth() + TransactionStore.shared.clear() } it("should start the supplied provider") {