Merge pull request #173 from krausvo1/drop_token_query_param

Don't send session token in query parameter when checking session info in XUI.
WrenSecurity · May 30, 2024 · df0d2b7 · df0d2b7
2 parents 8447f25 + aecb614
commit df0d2b7
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 13 deletions.
diff --git a/...am-ui-ria/src/main/js/org/forgerock/openam/ui/common/services/SiteConfigurationService.js b/...am-ui-ria/src/main/js/org/forgerock/openam/ui/common/services/SiteConfigurationService.js
@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Portions copyright 2014-2016 ForgeRock AS.
+ * Portions copyright 2024 Wren Security.
  */
 
 define([
@@ -55,7 +56,7 @@ define([
         const sessionToken = SessionToken.get();
 
         if (sessionToken) {
-            return SessionService.updateSessionInfo(sessionToken).then(() => {
+            return SessionService.updateSessionInfo().then(() => {
                 if (isRealmChanged()) {
                     location.href = "#confirmLogin/";
                 }

diff --git a/...src/main/js/org/forgerock/openam/ui/common/sessions/strategies/MaxIdleTimeLeftStrategy.js b/...src/main/js/org/forgerock/openam/ui/common/sessions/strategies/MaxIdleTimeLeftStrategy.js
@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2015-2016 ForgeRock AS.
+ * Portions copyright 2024 Wren Security.
  */
 
 /**
@@ -31,7 +32,7 @@
 define([
     "org/forgerock/openam/ui/user/services/SessionService"
 ], (SessionService) => {
-    return function (token) {
-        return SessionService.getTimeLeft(token);
+    return function () {
+        return SessionService.getTimeLeft();
     };
 });
diff --git a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginHelper.js b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginHelper.js
@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Portions copyright 2011-2017 ForgeRock AS.
+ * Portions copyright 2024 Wren Security.
  */
 
 define([
@@ -108,7 +109,7 @@ define([
         const suppressError = { errorsHandlers : { "Unauthorized": { status: 401 } } };
 
         if (sessionToken) {
-            return SessionService.updateSessionInfo(sessionToken, suppressError).then((data) => {
+            return SessionService.updateSessionInfo(suppressError).then((data) => {
                 return UserModel.fetchById(data.username).then(successCallback);
             }, noSessionHandler);
         } else {

diff --git a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/logout.jsm b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/logout.jsm
@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2016 ForgeRock AS.
+ * Portions copyright 2024 Wren Security.
  */
 
 /**
@@ -30,9 +31,9 @@ const logout = () => {
     Configuration.setProperty("loggedUser", null);
 
     if (sessionToken) {
-        return isSessionValid(sessionToken).then((isValid) => {
+        return isSessionValid().then((isValid) => {
             if (isValid) {
-                return serviceLogout(sessionToken);
+                return serviceLogout();
             } else {
                 return $.Deferred().resolve();
             }

diff --git a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/services/SessionService.jsm b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/services/SessionService.jsm
@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Portions copyright 2014-2016 ForgeRock AS.
+ * Portions copyright 2024 Wren Security.
  */
 
 import _ from "lodash";
@@ -24,9 +25,9 @@ import Configuration from "org/forgerock/commons/ui/common/main/Configuration";
 import moment from "moment";
 
 const obj = new AbstractDelegate(`${Constants.host}/${Constants.context}/json/sessions`);
-const getSessionInfo = (token, options) => {
+const getSessionInfo = (options) => {
     return obj.serviceCall(_.merge({
-        url: `?_action=getSessionInfo&tokenId=${token}`,
+        url: "?_action=getSessionInfo",
         type: "POST",
         data: {},
         headers: {
@@ -35,16 +36,16 @@ const getSessionInfo = (token, options) => {
     }, options));
 };
 
-export const getTimeLeft = (token) => {
-    return getSessionInfo(token, { suppressSpinner: true }).then((sessionInfo) => {
+export const getTimeLeft = () => {
+    return getSessionInfo({ suppressSpinner: true }).then((sessionInfo) => {
         const idleExpiration = moment(sessionInfo.maxIdleExpirationTime).diff(moment(), "seconds");
         const maxExpiration = moment(sessionInfo.maxSessionExpirationTime).diff(moment(), "seconds");
         return _.min([idleExpiration, maxExpiration]);
     });
 };
 
-export const updateSessionInfo = (token, options) => {
-    return getSessionInfo(token, options).then((response) => {
+export const updateSessionInfo = (options) => {
+    return getSessionInfo(options).then((response) => {
         store.dispatch(sessionAddInfo({
             realm: response.realm,
             sessionHandle: response.sessionHandle
@@ -53,7 +54,7 @@ export const updateSessionInfo = (token, options) => {
     });
 };
 
-export const isSessionValid = (token) => getSessionInfo(token).then((response) => _.has(response, "username"));
+export const isSessionValid = () => getSessionInfo().then((response) => _.has(response, "username"));
 
 export const logout = () => {
     const gotoUrl = Configuration.gotoURL;