From f7a6a266da29add1fe70ea54d43b40b9ddbb7431 Mon Sep 17 00:00:00 2001
From: R Midhun Suresh <hi@midhun.dev>
Date: Mon, 21 Oct 2024 01:09:55 +0530
Subject: [PATCH] Only send token after verifying the homeserver

---
 src/matrix/Client.js                         | 11 ++++--
 src/platform/web/dom/ServiceWorkerHandler.js | 19 +++++++----
 src/platform/web/sw.js                       | 36 ++++++++++++++------
 3 files changed, 45 insertions(+), 21 deletions(-)

diff --git a/src/matrix/Client.js b/src/matrix/Client.js
index a950ba9a6e..242375b50b 100644
--- a/src/matrix/Client.js
+++ b/src/matrix/Client.js
@@ -290,8 +290,11 @@ export class Client {
             serverVersions: lastVersionsResponse.versions,
         });
 
-        // Let the serviceWorkerHandler know of this access-token
-        this._platform.updateService.setAccessToken(sessionInfo.accessToken);
+        // Let the serviceWorkerHandler know of this access-token and homeserver
+        this._platform.updateService.updateAuthData({
+            accessToken: sessionInfo.accessToken,
+            homeserver: sessionInfo.homeServer,
+        });
 
         this._session = new Session({
             storage: this._storage,
@@ -382,7 +385,9 @@ export class Client {
             throw Error("No session loaded, cannot update access token");
         }
         this._session.updateAccessToken(token);
-        await this._platform.updateService.setAccessToken(token);
+        this._platform.updateService.updateAuthData({
+            accessToken: token,
+        });
         await this._platform.sessionInfoStorage.updateAccessToken(this._sessionId, token);
     }
 
diff --git a/src/platform/web/dom/ServiceWorkerHandler.js b/src/platform/web/dom/ServiceWorkerHandler.js
index 1fd836bf04..2224458924 100644
--- a/src/platform/web/dom/ServiceWorkerHandler.js
+++ b/src/platform/web/dom/ServiceWorkerHandler.js
@@ -28,7 +28,7 @@ export class ServiceWorkerHandler {
         this._currentController = null;
         this._sessionInfoStorage = sessionInfoStorage;
         this.haltRequests = false;
-        this._accessToken = null;
+        this._authData = {};
     }
 
     setNavigation(navigation) {
@@ -36,11 +36,16 @@ export class ServiceWorkerHandler {
     }
 
     /**
-     * Set the access-token to be used within the service worker.
-     * @param token An access-token
+     * Set the access-token and homeserver to be used within the service worker.
+     * @param auth An object with accessToken and homeserver
      */
-    setAccessToken(token) {
-        this._accessToken = token;
+    updateAuthData(auth) {
+        if (!auth.accessToken && !auth.homeserver) {
+            throw new Error(
+                "updateAuthData argument must contain accessToken, homeserver or both!"
+            );
+        }
+        this._authData = { ...this._authData, ...auth };
     }
 
     registerAndStart(path) {
@@ -96,10 +101,10 @@ export class ServiceWorkerHandler {
             event.source.postMessage({ replyTo: data.id });
         } else if (data.type === "openRoom") {
             this._navigation.push("room", data.payload.roomId);
-        } else if (data.type === "getAccessToken") {
+        } else if (data.type === "getAuthInfo") {
             event.source.postMessage({
                 replyTo: data.id,
-                payload: this._accessToken,
+                payload: this._authData,
             });
         }
     }
diff --git a/src/platform/web/sw.js b/src/platform/web/sw.js
index 4f16659d8d..23c90c42df 100644
--- a/src/platform/web/sw.js
+++ b/src/platform/web/sw.js
@@ -124,25 +124,39 @@ async function handleRequest({ request, clientId }) {
         }
 
         // Add access token for authenticated media endpoints
-        if (request.url.includes("_matrix/client/v1/media")) {
-            const headers = new Headers(request.headers);
+        const pathNameStartsWithMediaPrefix =
+            url.pathname.indexOf("/_matrix/client/v1/media") === 0;
+        if (pathNameStartsWithMediaPrefix) {
             const client = await self.clients.get(clientId);
-            const accessToken = await sendAndWaitForReply(
+            const { accessToken, homeserver } = await sendAndWaitForReply(
                 client,
-                "getAccessToken",
+                "getAuthInfo",
                 {}
             );
             if (!accessToken) {
                 throw new Error(
-                    "Token returned from getAccessToken message in sw.js is null"
+                    "Token returned from getAuthInfo message in sw.js is null!"
                 );
             }
-            headers.set("authorization", `Bearer ${accessToken}`);
-            request = new Request(request, {
-                mode: "cors",
-                credentials: "omit",
-                headers,
-            });
+            if (!homeserver) {
+                throw new Error(
+                    "homeserver returned from getAuthInfo message in sw.js is null!"
+                );
+            }
+            // Is this request actually going to the homeserver?
+            const isRequestForHomeserver =
+                new URL(homeserver).origin === url.origin;
+            if (isRequestForHomeserver) {
+                // Only add the access-token if we know that this request
+                // is going to the homeserver.
+                const headers = new Headers(request.headers);
+                headers.set("authorization", `Bearer ${accessToken}`);
+                request = new Request(request, {
+                    mode: "cors",
+                    credentials: "omit",
+                    headers,
+                });
+            }
         }
 
         let response = await readCache(request);