fix(user-activity-broadcaster): determine the correct origin to postMessage

Author: TheSharpieOne

packages/user-activity-broadcaster/src/index.js

@@ -1,51 +1,52 @@
-const MINUTE = 60 * 1000
-const interval = MINUTE * 5
-export const eventName = 'user_activity'
+const MINUTE = 60 * 1000;
+const interval = MINUTE * 5;
+export const eventName = 'user_activity';
 
 // Must be a dynamic object to test this
-export const lastActivity = {}
+export const lastActivity = {};
 
-export const getTargetOrigin = (origin = window.location.origin) => {
-  // Setup targetOrigin to alternate origin (because the same origin already works)
-  if (origin) {
-    if (origin.includes('apps')) {
-      return origin.replace('apps', 'essentials')
-    }
-
-    if (origin.includes('essentials')) {
-      return origin.replace('essentials', 'apps')
+export const getTargetOrigin = (origin = window.document.referrer) => {
+  try {
+    if (origin && new URL(origin).origin.endsWith('.availity.com')) {
+      return origin;
     }
+  } catch (error) {
+    console.error('Invalid URL:', error);
   }
+  // If the origin does not end with .availity.com, return undefined
 
-  return undefined
-}
+  return undefined;
+};
 
-const targetOrigin = getTargetOrigin()
+const targetOrigin = getTargetOrigin();
 
 // PostMessage Logic
 export const handleActivityUpdate = () => {
-  window.top.postMessage({
-    event: eventName,
-    time: lastActivity.time
-  }, targetOrigin)
-}
+  window.top.postMessage(
+    {
+      event: eventName,
+      time: lastActivity.time,
+    },
+    targetOrigin
+  );
+};
 
 // Debounce Logic
-let activityIntervalId = setInterval(handleActivityUpdate, interval)
+let activityIntervalId = setInterval(handleActivityUpdate, interval);
 // Re-assignable for testing
 export const updateInterval = (newInterval) => {
-  clearInterval(activityIntervalId)
-  activityIntervalId = setInterval(handleActivityUpdate, newInterval)
-}
+  clearInterval(activityIntervalId);
+  activityIntervalId = setInterval(handleActivityUpdate, newInterval);
+};
 
 // Event Handlers
 export const handleActivity = () => {
-  lastActivity.time = Date.now().toString()
-}
+  lastActivity.time = Date.now().toString();
+};
 
 // Add ability to test handleActivity and events
 export const addEventListeners = () => {
-  document.addEventListener('mousedown', handleActivity)
-  document.addEventListener('keydown', handleActivity)
-}
-addEventListeners()
+  document.addEventListener('mousedown', handleActivity);
+  document.addEventListener('keydown', handleActivity);
+};
+addEventListeners();

packages/user-activity-broadcaster/src/tests/index.test.js

@@ -10,22 +10,28 @@ const {
 
 describe('user-activity-broadcaster', () => {
   describe('targetOrigin', () => {
-    test('essentials.availity.com origin should have targetOrigion of apps', () => {
-      const testOrigin = 'essentials.availity.com'
-      const expected = 'apps.availity.com'
+    test('should return the provided origin if it ends with .availity.com', () => {
+      const testOrigin = 'https://essentials.availity.com'
 
       const targetOrigin = getTargetOrigin(testOrigin)
 
-      expect(targetOrigin).toBe(expected)
+      expect(targetOrigin).toBe(testOrigin)
     })
 
-    test('apps.availity.com origin should have targetOrigion of essentials', () => {
-      const testOrigin = 'apps.availity.com'
-      const expected = 'essentials.availity.com'
+    test('should return undefined if the provider origin does not end in .availity.com', () => {
+      const testOrigin = 'https://essentials.availity.com.malicious.com'
+
+      const targetOrigin = getTargetOrigin(testOrigin)
+
+      expect(targetOrigin).toBe(undefined)
+    })
+
+    test('should return undefined if the provider origin is not a valid URL', () => {
+      const testOrigin = 'essentials.availity.com'
 
       const targetOrigin = getTargetOrigin(testOrigin)
 
-      expect(targetOrigin).toBe(expected)
+      expect(targetOrigin).toBe(undefined)
     })
   })