[PM-6377] Fix HCaptcha accessibility and resolve Checkmarx warning (#8005)

Turns out the HCaptcha accessibility feature on desktop stopped working a while back. This PR resolves it and tweaks the implementation to use norefeerer and noopener for improved sandboxing. This comes with the slight tweak in behaviour namely we now get the cookie when you click the back button. To fix hcaptcha not working I needed to use the correct session storage.
2024-03-08 15:25:46 +01:00 · 2024-03-08 15:25:46 +01:00 · bd66d837a5
parent 9e4b96e606
commit bd66d837a5
4 changed files with 7 additions and 43 deletions
--- a/apps/desktop/src/auth/accessibility-cookie.component.html
+++ b/apps/desktop/src/auth/accessibility-cookie.component.html
@ -28,7 +28,7 @@
      <button type="submit" class="btn primary block" [disabled]="!accessibilityForm.valid">
        {{ "submit" | i18n }}
      </button>
-      <button type="button" routerLink="/login" class="btn block">{{ "done" | i18n }}</button>
+      <button type="button" (click)="close()" class="btn block">{{ "done" | i18n }}</button>
    </div>
  </div>
 </form>
--- a/apps/desktop/src/auth/accessibility-cookie.component.ts
+++ b/apps/desktop/src/auth/accessibility-cookie.component.ts
@ -2,14 +2,11 @@ import { Component, NgZone } from "@angular/core";
 import { UntypedFormControl, UntypedFormGroup, Validators } from "@angular/forms";
 import { Router } from "@angular/router";
 import { BroadcasterService } from "@bitwarden/common/platform/abstractions/broadcaster.service";
 import { EnvironmentService } from "@bitwarden/common/platform/abstractions/environment.service";
 import { I18nService } from "@bitwarden/common/platform/abstractions/i18n.service";
 import { PlatformUtilsService } from "@bitwarden/common/platform/abstractions/platform-utils.service";
 import { Utils } from "@bitwarden/common/platform/misc/utils";
 const BroadcasterSubscriptionId = "AccessibilityCookieComponent";
@Component({
  selector: "app-accessibility-cookie",
  templateUrl: "accessibility-cookie.component.html",
@ -27,40 +24,21 @@ export class AccessibilityCookieComponent {
    protected platformUtilsService: PlatformUtilsService,
    protected environmentService: EnvironmentService,
    protected i18nService: I18nService,
    private broadcasterService: BroadcasterService,
    protected ngZone: NgZone,
  ) {}
  async ngOnInit() {
    this.broadcasterService.subscribe(BroadcasterSubscriptionId, async (message: any) => {
      this.ngZone.run(() => {
        switch (message.command) {
          case "windowIsFocused":
            if (this.listenForCookie) {
              this.listenForCookie = false;
              // FIXME: Verify that this floating promise is intentional. If it is, add an explanatory comment and ensure there is proper error handling.
              // eslint-disable-next-line @typescript-eslint/no-floating-promises
              this.checkForCookie();
            }
            break;
          default:
        }
      });
    });
  }
  registerhCaptcha() {
    this.platformUtilsService.launchUri("https://www.hcaptcha.com/accessibility");
  }
-  async checkForCookie() {
+  async close() {
    this.hCaptchaWindow.close();
    const [cookie] = await ipc.auth.getHcaptchaAccessibilityCookie();
    if (cookie) {
      this.onCookieSavedSuccess();
    } else {
      this.onCookieSavedFailure();
    }
    await this.router.navigate(["/login"]);
  }
  onCookieSavedSuccess() {
@ -89,10 +67,6 @@ export class AccessibilityCookieComponent {
      return;
    }
    this.listenForCookie = true;
-    this.hCaptchaWindow = window.open(this.accessibilityForm.value.link);
+    window.open(this.accessibilityForm.value.link, "_blank", "noopener noreferrer");
  }
  ngOnDestroy() {
    this.broadcasterService.unsubscribe(BroadcasterSubscriptionId);
  }
 }
--- a/apps/desktop/src/main/window.main.ts
+++ b/apps/desktop/src/main/window.main.ts
@ -30,7 +30,7 @@ export class WindowMain {
  private windowStateChangeTimer: NodeJS.Timeout;
  private windowStates: { [key: string]: WindowState } = {};
  private enableAlwaysOnTop = false;
-  private session: Electron.Session;
+  session: Electron.Session;
  readonly defaultWidth = 950;
  readonly defaultHeight = 600;
--- a/apps/desktop/src/services/electron-main-messaging.service.ts
+++ b/apps/desktop/src/services/electron-main-messaging.service.ts
@ -1,16 +1,6 @@
 import * as path from "path";
-import {
+import { app, dialog, ipcMain, Menu, MenuItem, nativeTheme, Notification, shell } from "electron";
  app,
  dialog,
  ipcMain,
  Menu,
  MenuItem,
  nativeTheme,
  session,
  Notification,
  shell,
 } from "electron";
 import { MessagingService } from "@bitwarden/common/platform/abstractions/messaging.service";
 import { ThemeType } from "@bitwarden/common/platform/enums";
@ -64,7 +54,7 @@ export class ElectronMainMessagingService implements MessagingService {
    });
    ipcMain.handle("getCookie", async (event, options) => {
-      return await session.defaultSession.cookies.get(options);
+      return await this.windowMain.session.cookies.get(options);
    });
    ipcMain.handle("loginRequest", async (event, options) => {