From aecb614bc6302db0f83c779f03d27035a50645f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Vojt=C4=9Bch=20Kraus?= Date: Mon, 29 Apr 2024 18:51:45 +0200 Subject: [PATCH] Don't send session token in query parameter when checking session info in XUI. --- .../common/services/SiteConfigurationService.js | 3 ++- .../strategies/MaxIdleTimeLeftStrategy.js | 5 +++-- .../openam/ui/user/login/RESTLoginHelper.js | 3 ++- .../org/forgerock/openam/ui/user/login/logout.jsm | 5 +++-- .../openam/ui/user/services/SessionService.jsm | 15 ++++++++------- 5 files changed, 18 insertions(+), 13 deletions(-) diff --git a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/common/services/SiteConfigurationService.js b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/common/services/SiteConfigurationService.js index 77af5b5319..320d77a431 100644 --- a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/common/services/SiteConfigurationService.js +++ b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/common/services/SiteConfigurationService.js @@ -12,6 +12,7 @@ * information: "Portions copyright [year] [name of copyright owner]". * * Portions copyright 2014-2016 ForgeRock AS. + * Portions copyright 2024 Wren Security. */ define([ @@ -55,7 +56,7 @@ define([ const sessionToken = SessionToken.get(); if (sessionToken) { - return SessionService.updateSessionInfo(sessionToken).then(() => { + return SessionService.updateSessionInfo().then(() => { if (isRealmChanged()) { location.href = "#confirmLogin/"; } diff --git a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/common/sessions/strategies/MaxIdleTimeLeftStrategy.js b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/common/sessions/strategies/MaxIdleTimeLeftStrategy.js index 361e6c0795..1086a96057 100644 --- a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/common/sessions/strategies/MaxIdleTimeLeftStrategy.js +++ b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/common/sessions/strategies/MaxIdleTimeLeftStrategy.js @@ -12,6 +12,7 @@ * information: "Portions copyright [year] [name of copyright owner]". * * Copyright 2015-2016 ForgeRock AS. + * Portions copyright 2024 Wren Security. */ /** @@ -31,7 +32,7 @@ define([ "org/forgerock/openam/ui/user/services/SessionService" ], (SessionService) => { - return function (token) { - return SessionService.getTimeLeft(token); + return function () { + return SessionService.getTimeLeft(); }; }); diff --git a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginHelper.js b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginHelper.js index 8c3007510c..5118bade93 100644 --- a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginHelper.js +++ b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/RESTLoginHelper.js @@ -12,6 +12,7 @@ * information: "Portions copyright [year] [name of copyright owner]". * * Portions copyright 2011-2017 ForgeRock AS. + * Portions copyright 2024 Wren Security. */ define([ @@ -108,7 +109,7 @@ define([ const suppressError = { errorsHandlers : { "Unauthorized": { status: 401 } } }; if (sessionToken) { - return SessionService.updateSessionInfo(sessionToken, suppressError).then((data) => { + return SessionService.updateSessionInfo(suppressError).then((data) => { return UserModel.fetchById(data.username).then(successCallback); }, noSessionHandler); } else { diff --git a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/logout.jsm b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/logout.jsm index 5048c4a793..10e9a2cd11 100644 --- a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/logout.jsm +++ b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/login/logout.jsm @@ -12,6 +12,7 @@ * information: "Portions copyright [year] [name of copyright owner]". * * Copyright 2016 ForgeRock AS. + * Portions copyright 2024 Wren Security. */ /** @@ -30,9 +31,9 @@ const logout = () => { Configuration.setProperty("loggedUser", null); if (sessionToken) { - return isSessionValid(sessionToken).then((isValid) => { + return isSessionValid().then((isValid) => { if (isValid) { - return serviceLogout(sessionToken); + return serviceLogout(); } else { return $.Deferred().resolve(); } diff --git a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/services/SessionService.jsm b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/services/SessionService.jsm index 385d2d0650..76bcde0279 100644 --- a/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/services/SessionService.jsm +++ b/openam-ui/openam-ui-ria/src/main/js/org/forgerock/openam/ui/user/services/SessionService.jsm @@ -12,6 +12,7 @@ * information: "Portions copyright [year] [name of copyright owner]". * * Portions copyright 2014-2016 ForgeRock AS. + * Portions copyright 2024 Wren Security. */ import _ from "lodash"; @@ -24,9 +25,9 @@ import Configuration from "org/forgerock/commons/ui/common/main/Configuration"; import moment from "moment"; const obj = new AbstractDelegate(`${Constants.host}/${Constants.context}/json/sessions`); -const getSessionInfo = (token, options) => { +const getSessionInfo = (options) => { return obj.serviceCall(_.merge({ - url: `?_action=getSessionInfo&tokenId=${token}`, + url: "?_action=getSessionInfo", type: "POST", data: {}, headers: { @@ -35,16 +36,16 @@ const getSessionInfo = (token, options) => { }, options)); }; -export const getTimeLeft = (token) => { - return getSessionInfo(token, { suppressSpinner: true }).then((sessionInfo) => { +export const getTimeLeft = () => { + return getSessionInfo({ suppressSpinner: true }).then((sessionInfo) => { const idleExpiration = moment(sessionInfo.maxIdleExpirationTime).diff(moment(), "seconds"); const maxExpiration = moment(sessionInfo.maxSessionExpirationTime).diff(moment(), "seconds"); return _.min([idleExpiration, maxExpiration]); }); }; -export const updateSessionInfo = (token, options) => { - return getSessionInfo(token, options).then((response) => { +export const updateSessionInfo = (options) => { + return getSessionInfo(options).then((response) => { store.dispatch(sessionAddInfo({ realm: response.realm, sessionHandle: response.sessionHandle @@ -53,7 +54,7 @@ export const updateSessionInfo = (token, options) => { }); }; -export const isSessionValid = (token) => getSessionInfo(token).then((response) => _.has(response, "username")); +export const isSessionValid = () => getSessionInfo().then((response) => _.has(response, "username")); export const logout = () => { const gotoUrl = Configuration.gotoURL;