From 9f5f3cb5ef9dfa71ec4a86e17c3791859038e0b4 Mon Sep 17 00:00:00 2001 From: Shreerang Kale Date: Fri, 25 Apr 2025 12:46:36 +0530 Subject: [PATCH] Add allowed origins check while signining messages --- src/hooks/useGetOrCreateAccounts.ts | 2 +- src/screens/AutoSignIn.tsx | 2 +- src/screens/SignMessageEmbed.tsx | 18 ++++++++++++++++-- .../stack/laconic-wallet-web/README.md | 6 +++--- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/src/hooks/useGetOrCreateAccounts.ts b/src/hooks/useGetOrCreateAccounts.ts index 8a0e10b..d5fcc47 100644 --- a/src/hooks/useGetOrCreateAccounts.ts +++ b/src/hooks/useGetOrCreateAccounts.ts @@ -6,7 +6,7 @@ import useAccountsData from "./useAccountsData"; import { useNetworks } from "../context/NetworksContext"; import { useAccounts } from "../context/AccountsContext"; -const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS +const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS; const useGetOrCreateAccounts = () => { const { networksData } = useNetworks(); diff --git a/src/screens/AutoSignIn.tsx b/src/screens/AutoSignIn.tsx index bb19267..f018831 100644 --- a/src/screens/AutoSignIn.tsx +++ b/src/screens/AutoSignIn.tsx @@ -7,7 +7,7 @@ import { sendMessage } from '../utils/misc'; import useAccountsData from '../hooks/useAccountsData'; import useGetOrCreateAccounts from '../hooks/useGetOrCreateAccounts'; -const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS +const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS; export const AutoSignIn = () => { const { networksData } = useNetworks(); diff --git a/src/screens/SignMessageEmbed.tsx b/src/screens/SignMessageEmbed.tsx index 8717411..6dfe836 100644 --- a/src/screens/SignMessageEmbed.tsx +++ b/src/screens/SignMessageEmbed.tsx @@ -16,6 +16,8 @@ import { getCosmosAccounts, retrieveSingleAccount } from '../utils/accounts'; import { getMnemonic, getPathKey, sendMessage } from '../utils/misc'; import { COSMOS } from '../utils/constants'; +const REACT_APP_ALLOWED_URLS = process.env.REACT_APP_ALLOWED_URLS; + type SignRequestProps = NativeStackScreenProps; const SignMessageEmbed = ({ route }: SignRequestProps) => { @@ -70,7 +72,6 @@ const SignMessageEmbed = ({ route }: SignRequestProps) => { } }; - const rejectRequestHandler = async () => { if (sourceWindow && origin) { sendMessage( @@ -87,6 +88,19 @@ const SignMessageEmbed = ({ route }: SignRequestProps) => { const handleCosmosSignMessage = async (event: MessageEvent) => { if (event.data.type !== 'SIGN_ZENITH_MESSAGE') return; + + if (!REACT_APP_ALLOWED_URLS) { + console.log('allowed URLs are not set.'); + return; + } + + const allowedUrls = REACT_APP_ALLOWED_URLS.split(',').map(url => url.trim()); + + if (!allowedUrls.includes(event.origin)) { + console.log('Unauthorized app.'); + return; + } + try { const { signerAddress, signDoc } = event.data.params; @@ -102,7 +116,7 @@ const SignMessageEmbed = ({ route }: SignRequestProps) => { event.data.chainId, signerAddress, ); - + setDisplayAccount(requestAccount); setIsLoading(false); } catch (err) { diff --git a/stack/stack-orchestrator/stack/laconic-wallet-web/README.md b/stack/stack-orchestrator/stack/laconic-wallet-web/README.md index 50be17d..f28151e 100644 --- a/stack/stack-orchestrator/stack/laconic-wallet-web/README.md +++ b/stack/stack-orchestrator/stack/laconic-wallet-web/README.md @@ -49,6 +49,9 @@ Instructions for running the `laconic-wallet-web` using [laconic-so](https://git # WalletConnect project ID, same should be used in the laconic-wallet WALLET_CONNECT_ID= + # Allowed urls is a comma separated list of allowed urls + CERC_ALLOWED_URLS= + # Optional # WalletConnect code for hostname verification @@ -63,9 +66,6 @@ Instructions for running the `laconic-wallet-web` using [laconic-so](https://git # RPC endpoint of laconicd node (default: https://laconicd.laconic.com) CERC_LACONICD_RPC_URL= - - # Allowed urls is a comma separated list of allowed urls for auto-sign-in route - CERC_ALLOWED_URLS= ``` ## Start the deployment