feat: do not allow to extend session with local time manipulation

superhero-com · Oct 11, 2024 · d87caad · d87caad
1 parent 45c628f
commit d87caad
Show file tree

Hide file tree

Showing 6 changed files with 21 additions and 30 deletions.
diff --git a/src/background/bgPopupHandler.ts b/src/background/bgPopupHandler.ts
@@ -22,7 +22,6 @@ const IS_EXTENSION = PLATFORM === 'extension' && !RUNNING_IN_TESTS;
 
 const SESSION_STORAGE_KEYS = {
   exportedEncryptionKey: 'exportedEncryptionKey',
-  sessionExpires: 'sessionExpires',
 };
 
 const POPUP_TYPE_CONNECT = 'connectConfirm';
@@ -88,18 +87,20 @@ export const removePopup = (id: string) => delete popups[id];
 
 export const getPopup = (id: string): IPopupConfigNoActions => popups[id];
 
-export const setSessionExpiration = async (sessionExpires: number) => {
-  await storageSession.set({ sessionExpires });
+let expirationTimeout: NodeJS.Timeout;
+
+export const setSessionTimeout = async (sessionTimeout: number) => {
+  if (expirationTimeout) {
+    clearTimeout(expirationTimeout);
+  }
+  expirationTimeout = setTimeout(
+    () => storageSession.remove(SESSION_STORAGE_KEYS.exportedEncryptionKey),
+    sessionTimeout,
+  );
 };
 
 export const getSessionEncryptionKey = async (): Promise<string | null> => {
   try {
-    const { sessionExpires } = await storageSession.get(SESSION_STORAGE_KEYS.sessionExpires);
-    if (!sessionExpires || sessionExpires < Date.now()) {
-      await storageSession.remove(SESSION_STORAGE_KEYS.exportedEncryptionKey);
-      return null;
-    }
-
     const { exportedEncryptionKey } = await storageSession.get(
       SESSION_STORAGE_KEYS.exportedEncryptionKey,
     );

diff --git a/src/background/index.ts b/src/background/index.ts
@@ -4,7 +4,7 @@ import {
   removePopup,
   getPopup,
   getSessionEncryptionKey,
-  setSessionExpiration,
+  setSessionTimeout,
 } from './bgPopupHandler';
 import { updateDynamicRules } from './redirectRule';
 
@@ -59,8 +59,8 @@ function handleMessage(msg: IBackgroundMessageData, _: any, sendResponse: Functi
           sendResponse(encryptionKey);
         });
         return true;
-      case 'setSessionExpiration':
-        sendResponse(setSessionExpiration(msg.payload));
+      case 'setSessionTimeout':
+        sendResponse(setSessionTimeout(msg.payload));
         return false;
       default:
         break;

diff --git a/src/composables/auth.ts b/src/composables/auth.ts
@@ -173,7 +173,7 @@ export const useAuth = createCustomScopedComposable(() => {
     encryptionKey.value = newEncryptionKey;
     if (IS_EXTENSION) {
       if (newEncryptionKey) {
-        sessionStart(newEncryptionKey, +secureLoginTimeoutDecrypted.value!);
+        sessionStart(newEncryptionKey);
       } else {
         sessionEnd();
       }

diff --git a/src/constants/common.ts b/src/constants/common.ts
@@ -386,7 +386,7 @@ export const POPUP_METHODS = {
 } as const;
 
 export const SESSION_METHODS = {
-  setSessionExpiration: 'setSessionExpiration',
+  setSessionTimeout: 'setSessionTimeout',
   getSessionEncryptionKey: 'getSessionEncryptionKey',
 } as const;
 

diff --git a/src/offscreen/wallet.ts b/src/offscreen/wallet.ts
@@ -15,7 +15,7 @@ import {
   useAuth,
   useNetworks,
 } from '@/composables';
-import { setSessionExpiration } from '@/background/bgPopupHandler';
+import { setSessionTimeout } from '@/background/bgPopupHandler';
 import { removePopup, getPopup } from './popupHandler';
 import { detectConnectionType } from './utils';
 
@@ -79,15 +79,13 @@ export async function init() {
       }
       case CONNECTION_TYPES.SESSION: {
         port.onDisconnect.addListener(async () => {
-          const sessionExpires = Date.now() + +secureLoginTimeoutDecrypted.value!;
-
           if (IS_FIREFOX) {
-            setSessionExpiration(sessionExpires);
+            setSessionTimeout(+secureLoginTimeoutDecrypted.value!);
           } else {
             browser.runtime.sendMessage<IBackgroundMessageData>({
               target: 'background',
-              method: SESSION_METHODS.setSessionExpiration,
-              payload: sessionExpires,
+              method: SESSION_METHODS.setSessionTimeout,
+              payload: +secureLoginTimeoutDecrypted.value!,
             });
           }
         });

diff --git a/src/utils/session.ts b/src/utils/session.ts
@@ -4,7 +4,6 @@ import { exportEncryptionKey, importEncryptionKey } from './crypto';
 
 const SESSION_STORAGE_KEYS = {
   exportedEncryptionKey: 'exportedEncryptionKey',
-  sessionExpires: 'sessionExpires',
 };
 
 const storageSession = (browser.storage as any)?.session;
@@ -13,13 +12,11 @@ const storageSession = (browser.storage as any)?.session;
  * Stores the password key in the session storage.
  * Extension only.
  */
-export async function sessionStart(encryptionKey: CryptoKey, timeout: number) {
+export async function sessionStart(encryptionKey: CryptoKey) {
   if (IS_EXTENSION && !IS_OFFSCREEN_TAB) {
     browser.runtime.connect({ name: CONNECTION_TYPES.SESSION });
-    const sessionExpires = Date.now() + timeout;
     await storageSession.set({
-      exportedEncryptionKey: await exportEncryptionKey(encryptionKey),
-      sessionExpires,
+      [SESSION_STORAGE_KEYS.exportedEncryptionKey]: await exportEncryptionKey(encryptionKey),
     });
   }
 }
@@ -43,11 +40,6 @@ export async function getSessionEncryptionKey() {
       return importEncryptionKey(Buffer.from(sessionEncryptionKey, 'base64'));
     }
   } else if (IS_EXTENSION) {
-    const { sessionExpires } = await storageSession.get(SESSION_STORAGE_KEYS.sessionExpires);
-    if (!sessionExpires || sessionExpires < Date.now()) {
-      await sessionEnd();
-      return null;
-    }
     const { exportedEncryptionKey } = await storageSession.get(
       SESSION_STORAGE_KEYS.exportedEncryptionKey,
     );