From 2813f6b3e049517935f6cff7747678ea8c4e909f Mon Sep 17 00:00:00 2001 From: Evan Sharp Date: Wed, 16 Jul 2025 11:12:51 -0400 Subject: [PATCH] fix(user-activity-broadcaster): determine the correct origin to postMessage --- .../user-activity-broadcaster/src/index.js | 63 ++++++++++--------- .../src/tests/index.test.js | 22 ++++--- 2 files changed, 46 insertions(+), 39 deletions(-) diff --git a/packages/user-activity-broadcaster/src/index.js b/packages/user-activity-broadcaster/src/index.js index 5d16eb3d..5d0afb97 100644 --- a/packages/user-activity-broadcaster/src/index.js +++ b/packages/user-activity-broadcaster/src/index.js @@ -1,51 +1,52 @@ -const MINUTE = 60 * 1000 -const interval = MINUTE * 5 -export const eventName = 'user_activity' +const MINUTE = 60 * 1000; +const interval = MINUTE * 5; +export const eventName = 'user_activity'; // Must be a dynamic object to test this -export const lastActivity = {} +export const lastActivity = {}; -export const getTargetOrigin = (origin = window.location.origin) => { - // Setup targetOrigin to alternate origin (because the same origin already works) - if (origin) { - if (origin.includes('apps')) { - return origin.replace('apps', 'essentials') - } - - if (origin.includes('essentials')) { - return origin.replace('essentials', 'apps') +export const getTargetOrigin = (origin = window.document.referrer) => { + try { + if (origin && new URL(origin).origin.endsWith('.availity.com')) { + return origin; } + } catch (error) { + console.error('Invalid URL:', error); } + // If the origin does not end with .availity.com, return undefined - return undefined -} + return undefined; +}; -const targetOrigin = getTargetOrigin() +const targetOrigin = getTargetOrigin(); // PostMessage Logic export const handleActivityUpdate = () => { - window.top.postMessage({ - event: eventName, - time: lastActivity.time - }, targetOrigin) -} + window.top.postMessage( + { + event: eventName, + time: lastActivity.time, + }, + targetOrigin + ); +}; // Debounce Logic -let activityIntervalId = setInterval(handleActivityUpdate, interval) +let activityIntervalId = setInterval(handleActivityUpdate, interval); // Re-assignable for testing export const updateInterval = (newInterval) => { - clearInterval(activityIntervalId) - activityIntervalId = setInterval(handleActivityUpdate, newInterval) -} + clearInterval(activityIntervalId); + activityIntervalId = setInterval(handleActivityUpdate, newInterval); +}; // Event Handlers export const handleActivity = () => { - lastActivity.time = Date.now().toString() -} + lastActivity.time = Date.now().toString(); +}; // Add ability to test handleActivity and events export const addEventListeners = () => { - document.addEventListener('mousedown', handleActivity) - document.addEventListener('keydown', handleActivity) -} -addEventListeners() + document.addEventListener('mousedown', handleActivity); + document.addEventListener('keydown', handleActivity); +}; +addEventListeners(); diff --git a/packages/user-activity-broadcaster/src/tests/index.test.js b/packages/user-activity-broadcaster/src/tests/index.test.js index 8ea3d15e..d4c1ee75 100644 --- a/packages/user-activity-broadcaster/src/tests/index.test.js +++ b/packages/user-activity-broadcaster/src/tests/index.test.js @@ -10,22 +10,28 @@ const { describe('user-activity-broadcaster', () => { describe('targetOrigin', () => { - test('essentials.availity.com origin should have targetOrigion of apps', () => { - const testOrigin = 'essentials.availity.com' - const expected = 'apps.availity.com' + test('should return the provided origin if it ends with .availity.com', () => { + const testOrigin = 'https://essentials.availity.com' const targetOrigin = getTargetOrigin(testOrigin) - expect(targetOrigin).toBe(expected) + expect(targetOrigin).toBe(testOrigin) }) - test('apps.availity.com origin should have targetOrigion of essentials', () => { - const testOrigin = 'apps.availity.com' - const expected = 'essentials.availity.com' + test('should return undefined if the provider origin does not end in .availity.com', () => { + const testOrigin = 'https://essentials.availity.com.malicious.com' + + const targetOrigin = getTargetOrigin(testOrigin) + + expect(targetOrigin).toBe(undefined) + }) + + test('should return undefined if the provider origin is not a valid URL', () => { + const testOrigin = 'essentials.availity.com' const targetOrigin = getTargetOrigin(testOrigin) - expect(targetOrigin).toBe(expected) + expect(targetOrigin).toBe(undefined) }) })