Fix unauthorized url access #189
Conversation
settings/src/script.js
Outdated
|
|
||
| const totpEnabled = record?.[ '2fa_available_providers' ].includes( 'Two_Factor_Totp' ); | ||
| const backupCodesEnabled = | ||
| record?.[ '2fa_available_providers' ].includes( 'Two_Factor_Backup_Codes' ); |
There was a problem hiding this comment.
I'm generally in favor of moving these up the component chain or abstracting them into a shared state/context. I prefer that to how we currently reference them in the components, especially since they are provided by a third party plugin. Changing them in one place is better in my opinion and would provide a better api for graceful error handling. We are also not consistently checking for whether an object is defined:
With that being said, I do find it hard to follow which changes were need to fix the originating issue. Thoughts?
There was a problem hiding this comment.
I also find it harder to review PRs that do unrelated things, or get too big. What do you think about splitting those clean-up commits into a different PR?
I like the idea of pulling all the {provider}Enabled, hasPrimaryProvider, etc things into the Context object 👍🏻
There was a problem hiding this comment.
Thanks for pointing it out. I've split the DRYness commits into a separate PR, only related stuff is left in this one.
I like the idea of pulling all the {provider}Enabled, hasPrimaryProvider, etc things into the Context object 👍🏻
IMHO, we might want to avoid using Context in this case as we're not dealing with prop drilling - passing data down through many levels of components, and also not dealing with passing down to many components. Overusing Context sometimes might make the code hard to maintain.
renintw
force-pushed
the
fix/unauthorized-url-access
branch
from
cae02ef to
50ea0ae
Compare
renintw
force-pushed
the
fix/unauthorized-url-access
branch
from
50ea0ae to
436af8f
Compare
renintw
changed the base branch from
trunk
to
enhancement/extract-variables-for-DRY
renintw
force-pushed
the
enhancement/extract-variables-for-DRY
branch
from
91ef2d8 to
a2fdfb7
Compare
renintw
force-pushed
the
fix/unauthorized-url-access
branch
from
436af8f to
6a70eca
Compare
renintw
force-pushed
the
fix/unauthorized-url-access
branch
from
6a70eca to
a940f64
Compare
|
It has been rebased to trunk, and is ready for review again. |
| const currentUrl = new URL( document.location.href ); | ||
| currentUrl.searchParams.set( 'screen', 'account-status' ); | ||
| window.history.pushState( {}, '', currentUrl ); | ||
| setScreen( 'account-status' ); |
There was a problem hiding this comment.
I actually had a go at doing just this recently and my approach was to reuse the internals of the clickScreenLink function, as this is almost exactly that. I created a branch which changed that to a basic navigation handler: https://github.com/WordPress/wporg-two-factor/compare/fix/unauthorized-backup-codes?expand=1
Events are handled at the component level and then navigateToScreen is called.
See what you think.
There was a problem hiding this comment.
I like the enhancement 👍 Thanks for it.
I've cherry-picked the commits from your branch and tested the behavior on a sandbox, things worked as expected to me. Do you mind taking another look and reviewing again? Thanks.
renintw
force-pushed
the
fix/unauthorized-url-access
branch
2 times, most recently
from
91b0f42 to
57dc960
Compare
renintw
force-pushed
the
fix/unauthorized-url-access
branch
2 times, most recently
from
0b7b675 to
fac049f
Compare
save() promise was introduced in dd26ab3 for the function refreshRecord, so an await should be added.
renintw
force-pushed
the
fix/unauthorized-url-access
branch
from
fac049f to
1e76b9c
Compare
--------- Co-authored-by: Adam Wood <[email protected]>
--------- Co-authored-by: Adam Wood <[email protected]>
renintw
force-pushed
the
fix/unauthorized-url-access
branch
from
1e76b9c to
8011dd2
Compare
Fixes #188
This PR tidies up the code a bit for readability and DRYness and then makes sure users can't access the BackupCodes component via the URL bar when 2fa isn't enabled yet.
Screencast
Sandbox
fix.unauthorized.url.access.mov