companion: pass token through postMessage as JSON, fixes #1424

Thanks to @serverdevil for the investigation!
transloadit · May 8, 2019 · 156e86e · 156e86e
1 parent a9eda15
commit 156e86e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/packages/@uppy/companion/src/server/controllers/send-token.js b/packages/@uppy/companion/src/server/controllers/send-token.js
@@ -42,7 +42,7 @@ const htmlContent = (token, origin) => {
     <head>
         <meta charset="utf-8" />
         <script>
-          window.opener.postMessage({token: "${token}"}, "${sanitizeHtml(origin)}")
+          window.opener.postMessage(JSON.stringify({token: "${token}"}), "${sanitizeHtml(origin)}")
           window.close()
         </script>
     </head>

diff --git a/packages/@uppy/provider-views/src/index.js b/packages/@uppy/provider-views/src/index.js
@@ -419,9 +419,19 @@ module.exports = class ProviderView {
         this.plugin.uppy.log(`rejecting event from ${e.origin} vs allowed pattern ${this.plugin.opts.companionAllowedHosts}`)
         return
       }
+
+      // Check if it's a string before doing the JSON.parse to maintain support
+      // for older Companion versions that used object references
+      const data = typeof e.data === 'string' ? JSON.parse(e.data) : e.data
+
+      if (!data.token) {
+        this.plugin.uppy.log('did not receive token from auth window')
+        return
+      }
+
       authWindow.close()
       window.removeEventListener('message', handleToken)
-      this.provider.setAuthToken(e.data.token)
+      this.provider.setAuthToken(data.token)
       this.preFirstRender()
     }
     window.addEventListener('message', handleToken)