EmbeddedChat/packages/react/src/hooks/useRCAuth.js at 2afa165fb0fa1279678d9fbf116796e89506dbee · RocketChat/EmbeddedChat · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
import { useContext } from 'react';
import { useToastBarDispatch } from '@embeddedchat/ui-elements';
import RCContext from '../context/RCInstance';
import { useUserStore, totpModalStore, useLoginStore, useTotpCredentialsStore } from '../store';

export const useRCAuth = () => {
  const { RCInstance } = useContext(RCContext);
  const setIsTotpModalOpen = totpModalStore(
    (state) => state.setIsTotpModalOpen
  );
  const setUserAvatarUrl = useUserStore((state) => state.setUserAvatarUrl);
  const setIsLoginModalOpen = useLoginStore(
    (state) => state.setIsLoginModalOpen
  );
  const setAuthenticatedUserUsername = useUserStore(
    (state) => state.setUsername
  );
  const setIsUserAuthenticated = useUserStore(
    (state) => state.setIsUserAuthenticated
  );
  // SECURITY FIX (Issue #1263): Use ephemeral TOTP credentials store
  const setTotpCredentials = useTotpCredentialsStore((state) => state.setTotpCredentials);
  const clearTotpCredentials = useTotpCredentialsStore((state) => state.clearTotpCredentials);
  const setEmailorUser = useUserStore((state) => state.setEmailorUser);
  const dispatchToastMessage = useToastBarDispatch();

  const handleLogin = async (userOrEmail, password, code) => {
    try {
      const res = await RCInstance.login(userOrEmail, password, code);
      if (res.error === 'Unauthorized' || res.error === 403) {
        dispatchToastMessage({
          type: 'error',
          message:
            'Invalid username or password. Please check your credentials and try again',
        });
      } else {
        if (res.error === 'totp-required') {
          // SECURITY FIX (Issue #1263): Store credentials temporarily in ephemeral TOTP store
          // These are cleared immediately after TOTP completes
          setTotpCredentials(userOrEmail, password);
          setEmailorUser(userOrEmail);
          setIsLoginModalOpen(false);
          setIsTotpModalOpen(true);
          dispatchToastMessage({
            type: 'info',
            message: 'Please Open your authentication app and enter the code.',
          });
        } else if (res.error === 'totp-invalid') {
          dispatchToastMessage({
            type: 'error',
            message: 'Invalid TOTP Time-based One-time Password.',
          });
        }

        if (res.status === 'success') {
          setIsLoginModalOpen(false);
          setUserAvatarUrl(res.me.avatarUrl);
          setAuthenticatedUserUsername(res.me.username);
          setIsUserAuthenticated(true);
          setIsTotpModalOpen(false);
          setEmailorUser(null);
          // SECURITY FIX (Issue #1263): Clear ephemeral TOTP credentials after success
          clearTotpCredentials();
          dispatchToastMessage({
            type: 'success',
            message: 'Successfully logged in',
          });
        }
      }
    } catch (e) {
      console.error('An error occurred while setting up user', e);
      // SECURITY FIX (Issue #1263): Clear ephemeral TOTP credentials on error
      clearTotpCredentials();
      dispatchToastMessage({
        type: 'error',
        message:
          'Unable to connect to server. Please check your connection and try again.',
      });
    }
  };

  return {
    handleLogin,
  };
};