diff --git a/.env.example b/.env.example index 49a4f5f..2e44075 100644 --- a/.env.example +++ b/.env.example @@ -5,4 +5,5 @@ REACT_APP_DEFAULT_GAS_PRICE=0.025 REACT_APP_GAS_ADJUSTMENT=2 REACT_APP_LACONICD_RPC_URL=https://laconicd-sapo.laconic.com +# Example: https://example-url-1.com,https://example-url-2.com REACT_APP_ALLOWED_URLS= diff --git a/src/App.tsx b/src/App.tsx index 8066c61..201489f 100644 --- a/src/App.tsx +++ b/src/App.tsx @@ -395,7 +395,6 @@ const App = (): React.JSX.Element => { name="sign-request-embed" component={SignMessageEmbed} options={{ - // eslint-disable-next-line react/no-unstable-nested-components header: () =>
, }} /> diff --git a/src/hooks/useGetOrCreateAccounts.ts b/src/hooks/useGetOrCreateAccounts.ts index 28b51f7..8a0e10b 100644 --- a/src/hooks/useGetOrCreateAccounts.ts +++ b/src/hooks/useGetOrCreateAccounts.ts @@ -6,6 +6,8 @@ import useAccountsData from "./useAccountsData"; import { useNetworks } from "../context/NetworksContext"; import { useAccounts } from "../context/AccountsContext"; +const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS + const useGetOrCreateAccounts = () => { const { networksData } = useNetworks(); const { getAccountsData } = useAccountsData(); @@ -31,6 +33,18 @@ const useGetOrCreateAccounts = () => { const handleCreateAccounts = async (event: MessageEvent) => { if (event.data.type !== 'REQUEST_CREATE_OR_GET_ACCOUNTS') return; + if (!REACT_APP_ALLOWED_URLS) { + console.log('allowed URLs are not set.'); + return; + } + + const allowedUrls = REACT_APP_ALLOWED_URLS.split(',').map(url => url.trim()); + + if (!allowedUrls.includes(event.origin)) { + console.log('Unauthorized app.'); + return; + } + const accountsData = await getOrCreateAccountsForChain(event.data.chainId); sendMessage( @@ -42,7 +56,7 @@ const useGetOrCreateAccounts = () => { const autoCreateAccounts = async () => { const defaultChainId = networksData[0]?.chainId; - + if (!defaultChainId) { console.log('useGetOrCreateAccounts: No default chainId found'); return; @@ -60,7 +74,7 @@ const useGetOrCreateAccounts = () => { window.addEventListener('message', handleCreateAccounts); const isAndroidWebView = !!(window.Android); - + if (isAndroidWebView) { autoCreateAccounts(); } diff --git a/src/screens/AutoSignIn.tsx b/src/screens/AutoSignIn.tsx index a791230..bb19267 100644 --- a/src/screens/AutoSignIn.tsx +++ b/src/screens/AutoSignIn.tsx @@ -7,6 +7,8 @@ import { sendMessage } from '../utils/misc'; import useAccountsData from '../hooks/useAccountsData'; import useGetOrCreateAccounts from '../hooks/useGetOrCreateAccounts'; +const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS + export const AutoSignIn = () => { const { networksData } = useNetworks(); @@ -16,9 +18,14 @@ export const AutoSignIn = () => { const handleSignIn = async (event: MessageEvent) => { if (event.data.type !== 'AUTO_SIGN_IN') return; - const allowedUrls = process.env.REACT_APP_ALLOWED_URLS?.split(',').map(url => url.trim()); + if (!REACT_APP_ALLOWED_URLS) { + console.log('allowed URLs are not set.'); + return; + } - if (!allowedUrls?.includes(event.origin)) { + const allowedUrls = REACT_APP_ALLOWED_URLS.split(',').map(url => url.trim()); + + if (!allowedUrls.includes(event.origin)) { console.log('Unauthorized app.'); return; }