fix: removed the possibility of concurrent webauth transactions to ha…

…ndle continuation misuse (#848)
auth0 · May 8, 2024 · 1aa48da · 1aa48da
1 parent c0f37e0
commit 1aa48da
Show file tree

Hide file tree

Showing 5 changed files with 23 additions and 1 deletion.
diff --git a/Auth0/Auth0WebAuth.swift b/Auth0/Auth0WebAuth.swift
@@ -158,6 +158,11 @@ final class Auth0WebAuth: WebAuth {
     }
 
     func start(_ callback: @escaping (WebAuthResult<Credentials>) -> Void) {
+
+        if self.storage.current != nil {
+            return callback(.failure(WebAuthError(code: .transactionActiveAlready)))
+        }
+
         guard let redirectURL = self.redirectURL else {
             return callback(.failure(WebAuthError(code: .noBundleIdentifier)))
         }
@@ -207,6 +212,11 @@ final class Auth0WebAuth: WebAuth {
     }
 
     func clearSession(federated: Bool, callback: @escaping (WebAuthResult<Void>) -> Void) {
+
+        if self.storage.current != nil {
+            return callback(.failure(WebAuthError(code: .transactionActiveAlready)))
+        }
+
         let endpoint = federated ?
             URL(string: "v2/logout?federated", relativeTo: self.url)! :
             URL(string: "v2/logout", relativeTo: self.url)!

diff --git a/Auth0/AuthenticationError.swift b/Auth0/AuthenticationError.swift
@@ -184,7 +184,7 @@ extension AuthenticationError {
 
         return "Received error with code \(self.code)."
     }
-    
+
 }
 
 // MARK: - Equatable

diff --git a/Auth0/WebAuthError.swift b/Auth0/WebAuthError.swift
@@ -6,6 +6,7 @@ public struct WebAuthError: Auth0Error {
 
     enum Code: Equatable {
         case noBundleIdentifier
+        case transactionActiveAlready
         case invalidInvitationURL(String)
         case userCancelled
         case noAuthorizationCode([String: String])
@@ -79,6 +80,8 @@ extension WebAuthError {
         switch self.code {
         case .noBundleIdentifier: return "Unable to retrieve the bundle identifier from Bundle.main.bundleIdentifier,"
             + " or it could not be used to build a valid URL."
+        case .transactionActiveAlready: return "Failed to start this transaction, as there is an active transaction at the"
+            + " moment."
         case .invalidInvitationURL(let url): return "The invitation URL (\(url)) is missing the 'invitation' and/or"
             + " the 'organization' query parameters."
         case .userCancelled: return "The user cancelled the Web Auth operation."

diff --git a/Auth0Tests/WebAuthErrorSpec.swift b/Auth0Tests/WebAuthErrorSpec.swift
@@ -86,6 +86,13 @@ class WebAuthErrorSpec: QuickSpec {
                 expect(error.localizedDescription) == message
             }
 
+            it("should return message for transaction active already") {
+                let message = "Failed to start this transaction, as there is an active transaction at the"
+                + " moment."
+                let error = WebAuthError(code: .transactionActiveAlready)
+                expect(error.localizedDescription) == message
+            }
+
             it("should return message for invalid invitation URL") {
                 let url = "https://samples.auth0.com"
                 let message = "The invitation URL (\(url)) is missing the 'invitation' and/or"

diff --git a/Auth0Tests/WebAuthSpec.swift b/Auth0Tests/WebAuthSpec.swift
@@ -475,6 +475,7 @@ class WebAuthSpec: QuickSpec {
 
             beforeEach {
                 auth = newWebAuth()
+                TransactionStore.shared.clear()
             }
 
             it("should start the supplied provider") {
@@ -600,6 +601,7 @@ class WebAuthSpec: QuickSpec {
 
             beforeEach {
                 auth = newWebAuth()
+                TransactionStore.shared.clear()
             }
 
             it("should start the supplied provider") {
-Original file line number
+Diff line change
@@ Expand Up / @@ -184,7 +184,7 @@ extension AuthenticationError { @@
             return "Received error with code \(self.code)."
         }
     }
     // MARK: - Equatable
@@ Expand Down @@