LaconicNetwork/laconic-wallet-web
27
0
Fork 2
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases 13 Wiki Activity

Add allowed origins check while signining messages

Browse Source
This commit is contained in:
Shreerang Kale 2025-04-25 12:46:36 +05:30
parent b9ded9d718
commit 9f5f3cb5ef
4 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/hooks/useGetOrCreateAccounts.ts
View File

@ -6,7 +6,7 @@ import useAccountsData from "./useAccountsData";
import { useNetworks } from "../context/NetworksContext";
import { useAccounts } from "../context/AccountsContext";
const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS
const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS;
const useGetOrCreateAccounts = () => {
const { networksData } = useNetworks();

2
src/screens/AutoSignIn.tsx
View File

@ -7,7 +7,7 @@ import { sendMessage } from '../utils/misc';
import useAccountsData from '../hooks/useAccountsData';
import useGetOrCreateAccounts from '../hooks/useGetOrCreateAccounts';
const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS
const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS;
export const AutoSignIn = () => {
const { networksData } = useNetworks();

18
src/screens/SignMessageEmbed.tsx
View File

@ -16,6 +16,8 @@ import { getCosmosAccounts, retrieveSingleAccount } from '../utils/accounts';
import { getMnemonic, getPathKey, sendMessage } from '../utils/misc';
import { COSMOS } from '../utils/constants';
const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS;
type SignRequestProps = NativeStackScreenProps<StackParamsList, 'sign-request-embed'>;
const SignMessageEmbed = ({ route }: SignRequestProps) => {
@ -70,7 +72,6 @@ const SignMessageEmbed = ({ route }: SignRequestProps) => {
}
};
const rejectRequestHandler = async () => {
if (sourceWindow && origin) {
sendMessage(
@ -87,6 +88,19 @@ const SignMessageEmbed = ({ route }: SignRequestProps) => {
const handleCosmosSignMessage = async (event: MessageEvent) => {
if (event.data.type !== 'SIGN_ZENITH_MESSAGE') return;
if (!REACT_APP_ALLOWED_URLS) {
console.log('allowed URLs are not set.');
return;
}
const allowedUrls = REACT_APP_ALLOWED_URLS.split(',').map(url => url.trim());
if (!allowedUrls.includes(event.origin)) {
console.log('Unauthorized app.');
return;
}
try {
const { signerAddress, signDoc } = event.data.params;
@ -102,7 +116,7 @@ const SignMessageEmbed = ({ route }: SignRequestProps) => {
event.data.chainId,
signerAddress,
);
setDisplayAccount(requestAccount);
setIsLoading(false);
} catch (err) {

6
stack/stack-orchestrator/stack/laconic-wallet-web/README.md
View File

@ -49,6 +49,9 @@ Instructions for running the `laconic-wallet-web` using [laconic-so](https://git
# WalletConnect project ID, same should be used in the laconic-wallet
WALLET_CONNECT_ID=
# Allowed urls is a comma separated list of allowed urls
CERC_ALLOWED_URLS=
# Optional
# WalletConnect code for hostname verification
@ -63,9 +66,6 @@ Instructions for running the `laconic-wallet-web` using [laconic-so](https://git
# RPC endpoint of laconicd node (default: https://laconicd.laconic.com)
CERC_LACONICD_RPC_URL=
# Allowed urls is a comma separated list of allowed urls for auto-sign-in route
CERC_ALLOWED_URLS=
```
## Start the deployment