import React, {
createContext,
useContext,
useEffect,
useMemo,
useState,
} from "react";
import { useDispatch, useSelector } from "react-redux";
import {
setIsLogin,
setLoginUserDetails,
} from "../../src/components/common/redux/action.jsx";
import axios from "axios";
import { Roles } from "../components/utils/roles.js";
const AuthContext = createContext();
export const AuthProvider = ({ children }) => {
const dispatch = useDispatch()
const loginUserDetails = useSelector((state) => state?.token?.Auth?.loginUserDetails)
const [ekamMenu, setEkamMenu] = useState([]);
const contextValue = useMemo(() => ({
ekamMenu,
setEkamMenu,
loginUserDetails,
}), [ekamMenu, setEkamMenu, loginUserDetails]);
const fetchUser = async () => {
const urlParams = new URLSearchParams(window.location.search);
const randomString = urlParams.get('token');
const myHeaders = new Headers();
myHeaders.append("Cookie", "Path=/ekam");
myHeaders.append("Content-Type", "application/json");
const requestOptions = {
method: "GET",
headers: myHeaders,
redirect: "follow"
};
try {
if (randomString) {
const isValidResponse = await fetch(`${import.meta.env.VITE_LOGIN}/validateToken/${randomString}`, requestOptions);
const isValid = await isValidResponse.text();
console.log(isValid);
if (isValid) {
try {
const responseTokenResponse = await fetch(`${import.meta.env.VITE_LOGIN}/token/${randomString}`, requestOptions);
const responseToken = await responseTokenResponse.text();
console.log(responseToken);
const responseUserResponse = await fetch(`${import.meta.env.VITE_RBAC}/extractDetails?token=${responseToken}`, requestOptions);
const responseUser = await responseUserResponse.json();
console.log(responseUser);
await fetch(`${import.meta.env.VITE_LOGIN}/removeToken/${randomString}`, { method: 'DELETE', headers: myHeaders });
console.log("USER", responseUser)
const registrationOptions = {
method: "POST",
headers: myHeaders,
body: JSON.stringify({ username: responseUser?.email, password: responseUser?.email + "Testing@1234567" })
};
console.log("USER 2", responseUser)
const irsRegistrationResponse = await fetch(import.meta.env.VITE_USER_REGISTER_JWT_TOKEN, registrationOptions);
const irsRegistrationData = await irsRegistrationResponse.text();
console.log(irsRegistrationData,"Registration data");
if (irsRegistrationData == "User Already Exists!" || irsRegistrationData == "User Registered Successfully!") {
console.log("into if statement");
const loginOptions = {
method: "POST",
headers: myHeaders,
body: JSON.stringify({ username: responseUser?.email, password: responseUser?.email + "Testing@1234567" })
};
const irsTokenResponse = await fetch(import.meta.env.VITE_JWT_TOKEN, loginOptions);
const irsTokenData = await irsTokenResponse.json();
console.log(irsTokenData,"is token data");
dispatch(setIsLogin(true));
console.log("here");
console.log("this is jwt token");
console.log(irsTokenData.jwtToken);
responseUser.jwtToken = irsTokenData?.jwtToken;
console.log("this is response with jwtToken");
console.log(responseUser);
dispatch(setLoginUserDetails(responseUser));
const baseUrl = window.location.origin + window.location.pathname;
window.history.replaceState({}, document.title, baseUrl);
}
} catch (err) {
console.error(err);
}
}
} else {
console.log("into esle");
const irsRegistrationResponse = await axios.post(import.meta.env.VITE_USER_REGISTER_JWT_TOKEN, { username:"priyanka.rodda@gmail.com", password: "Testing@1234567" })
if (irsRegistrationResponse?.data === "User Already Exists!" || irsRegistrationResponse?.data === "User Register Successfully!") {
const irsTokenResponse = await axios.post(import.meta.env.VITE_JWT_TOKEN, { username: "priyanka.rodda@gmail.com", password: "Testing@1234567" })
dispatch(setIsLogin(true))
dispatch(setLoginUserDetails(
{
"bankName": null,
"userType": "NPCI",
"userName": "vivek.upadhyay",
"email": "priyanka.rodda@npci.org.in",
"department":"Information Security",
"projectOwner":"test",
"selectedSite": [
{
"site": "PCOM",
"role": Roles.USER_HOD,
"menus": [
{ menuName: "Dashboard"},
{ menuName: "Inventory"},
{ menuName: "Tracking"},
{ menuName: "AgentMaster"},
{ menuName: "AgentEnvMap"},
{ menuName: "AllowedPorts"},
]
}
],
}
))
}
}
} catch (err) {
console.log("into catch");
console.error(err);
}
};
useEffect(() => {
fetchUser();
}, [])
return (
{children}
)
}
export const useAuth = () => {
const context = useContext(AuthContext);
if (!context) {
throw new Error("You are unthorized for this page")
}
return context;
}
export default AuthContext;
need to resolved
"Improper Session handling
The application allows a user to re-access a session after logout by simply pasting a previously copied URL. This indicates that: The session token (likely stored in a cookie or as a URL parameter) remains valid even after logout. Session termination is incomplete or ineffective, allowing the session to be reused. The app might not be invalidating or expiring the session server-side when a user logs out." "Session Hijacking Risk:
Anyone with access to the URL or session token can regain access to the user’s account after logout.
Bypassing Logout Mechanism:
The logout process gives a false sense of security—users think they’ve logged out, but their session can still be reused.
Unauthorized Access:On shared or public machines, someone could easily revisit a copied link and gain unauthorized access to sensitive data." "Proper Session Invalidation
Ensure that on logout:
The session token is deleted from the client (e.g., cookie cleared).
The session is invalidated server-side (e.g., token or session ID marked as expired or removed from the database/store).
Token Rotation:
Use short-lived access tokens and refresh tokens with strict validation. Tokens should become unusable immediately after logout.
Avoid Session Tokens in URLs:
Never pass session tokens in URLs (GET parameters). URLs can be cached, logged, or easily shared.
Implement Expiry and Inactivity Timeouts:
Set a reasonable expiry time and inactivity timeout on sessions to limit exposure.
Use Secure Cookies with Flags:
Store session tokens in cookies with the following flags:
HttpOnly: Prevents access from JavaScript.
Secure: Ensures it's sent only over HTTPS.
SameSite: Protects against CSRF."
"Back & Refresh Attack
During the assessment it was observed that the session does not get terminated at the server after clicking logout button" An attacker can use previous used or available session to access the application and impersonate valid user to carry out malicious activity or steel any user information. The user’s HTTP session should be terminated on the server immediately after a logout action is performed. It is important to note that simply deleting the cookie from the browser will not terminate the server session. The session must be invalidated at the server, using the HTTP container’s intrinsic session abandonment mechanism.
_NicoElNino_Alamy.png?width=1280&auto=webp&quality=80&disable=upscale#)
![At Least Three iPhone 17 Models to Feature 12GB RAM [Kuo]](https://www.iclarified.com/images/news/97122/97122/97122-640.jpg)
![Dummy Models Showcase 'Unbelievably' Thin iPhone 17 Air Design [Images]](https://www.iclarified.com/images/news/97114/97114/97114-640.jpg)
_Olekcii_Mach_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
![API design for precomputation cache [closed]](https://cdn.sstatic.net/Sites/softwareengineering/Img/apple-touch-icon@2.png?v=1ef7363febba)
![[DEALS] Sterling Stock Picker: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
