Skip to content

Fix(client): FCM 로직 수정 #182

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jllee000 merged 17 commits into from
Oct 3, 2025
Merged

Fix(client): FCM 로직 수정 #182

Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
4c7ae0b
feat: 알람 추가설정 제아
jllee000 Sep 29, 2025
67c390a
feat: 알람 추가 설정 및 토큰재발급 수정
jllee000 Sep 29, 2025
883c486
feat: 키 연결 및 cdn 임포트
jllee000 Sep 29, 2025
18294aa
chore: 머지 충돌 수정
jllee000 Sep 29, 2025
61b280c
fix: 서비스워커 경로 설정 수정
jllee000 Sep 29, 2025
1cc44a8
feat: FCM 커스텀
jllee000 Sep 30, 2025
0384964
feat: 리마인드 시간 기준 UST에서 KST
jllee000 Sep 30, 2025
9a6854b
feat: FCM 알람 아이콘 변경
jllee000 Oct 1, 2025
4d153f7
chore: 빌드에러 수정
jllee000 Oct 1, 2025
9945133
feat: FCM 푸시 랜딩 기능 추가
jllee000 Oct 2, 2025
0a751fc
chore: 머지 충돌 수정
jllee000 Oct 2, 2025
2f851bf
Merge branch 'develop' into fix/#161/fcm-setting-edit
jllee000 Oct 2, 2025
836541d
fix: fcm 로직 원복
jllee000 Oct 2, 2025
30d8906
Merge remote-tracking branch 'origin/develop' into fix/#161/fcm-setti…
jllee000 Oct 3, 2025
a47dfb4
feat: fcm 랜딩 기능 추가
jllee000 Oct 3, 2025
9354d2a
feat: fcm 알람 코드 구조 수정
jllee000 Oct 3, 2025
cffe9d1
chore: 머지 충돌 수정
jllee000 Oct 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 13 additions & 9 deletions apps/client/public/firebase-messaging-sw.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,11 +18,12 @@ importScripts(
'https://www.gstatic.com/firebasejs/9.22.2/firebase-messaging-compat.js'
);

self.addEventListener('install', function () {
self.addEventListener('install', (event) => {
self.skipWaiting();
});

self.addEventListener('activate', function () {
self.addEventListener('activate', (event) => {
clients.claim();
console.log('실행중..');
});

Expand All @@ -33,22 +34,25 @@ const messaging = firebase.messaging();
messaging.onBackgroundMessage((payload) => {
console.log('Received background message ', payload);

const notificationTitle = payload.notification?.title ?? 'pinback';
const url = payload.data?.url || 'https://www.pinback.today';

const notificationTitle = 'pinback'; // 무조건 기본값
const notificationOptions = {
body: payload.data?.body ?? '저장한 북마크를 확인해 보세요!',
icon: payload.data?.icon ?? '/FCM-IMG.png',
data: {
url: 'https://www.pinback.today',
},
body: '저장한 북마크를 확인해 보세요!',
icon: '/FCM-IMG.png',
data: { url },
requireInteraction: true,
renotify: true,
};
Comment on lines +37 to 46
Copy link

@coderabbitai coderabbitai bot Oct 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

URL 검증 누락으로 인한 보안 취약점

payload.data?.url에서 추출된 URL을 검증 없이 사용하고 있습니다. 악의적인 FCM 메시지가 javascript:, data:, 또는 기타 위험한 스킴을 포함한 URL을 전달할 수 있어 클릭 시 XSS 공격에 노출될 수 있습니다.

다음 diff를 적용하여 URL 스킴을 검증하세요:

- const url = payload.data?.url || 'https://www.pinback.today';
+ const rawUrl = payload.data?.url || 'https://www.pinback.today';
+ let url;
+ try {
+   const parsedUrl = new URL(rawUrl);
+   // HTTP/HTTPS만 허용
+   if (parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:') {
+     url = rawUrl;
+   } else {
+     console.warn('Invalid URL scheme:', parsedUrl.protocol);
+     url = 'https://www.pinback.today';
+   }
+ } catch (e) {
+   console.warn('Invalid URL:', rawUrl);
+   url = 'https://www.pinback.today';
+ }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
const url = payload.data?.url || 'https://www.pinback.today';
const notificationTitle = 'pinback'; // 무조건 기본값
const notificationOptions = {
body: payload.data?.body ?? '저장한 북마크를 확인해 보세요!',
icon: payload.data?.icon ?? '/FCM-IMG.png',
data: {
url: 'https://www.pinback.today',
},
body: '저장한 북마크를 확인해 보세요!',
icon: '/FCM-IMG.png',
data: { url },
requireInteraction: true,
renotify: true,
};
const rawUrl = payload.data?.url || 'https://www.pinback.today';
let url;
try {
const parsedUrl = new URL(rawUrl);
// HTTP/HTTPS만 허용
if (parsedUrl.protocol === 'http:' || parsedUrl.protocol === 'https:') {
url = rawUrl;
} else {
console.warn('Invalid URL scheme:', parsedUrl.protocol);
url = 'https://www.pinback.today';
}
} catch (e) {
console.warn('Invalid URL:', rawUrl);
url = 'https://www.pinback.today';
}
const notificationTitle = 'pinback'; // 무조건 기본값
const notificationOptions = {
body: '저장한 북마크를 확인해 보세요!',
icon: '/FCM-IMG.png',
data: { url },
requireInteraction: true,
renotify: true,
};
🤖 Prompt for AI Agents 
In apps/client/public/firebase-messaging-sw.js around lines 37 to 46, the code
uses payload.data?.url without validation which allows dangerous schemes
(javascript:, data:, etc.); validate and sanitize the URL before using it by
parsing with the URL constructor inside a try/catch, ensure the protocol is
either "http:" or "https:", and if parsing fails or the protocol is not allowed
fall back to the safe default 'https://www.pinback.today'; assign this
validated/sanitized URL to notificationOptions.data.url (do not use the raw
payload value).


self.registration.showNotification(notificationTitle, notificationOptions);
});

self.addEventListener('notificationclick', (event) => {
event.notification.close();

const url = event.notification.data?.url || 'https://www.pinback.today';

event.waitUntil(
clients
.matchAll({ type: 'window', includeUncontrolled: true })
Expand All @@ -59,7 +63,7 @@ self.addEventListener('notificationclick', (event) => {
}
}
if (clients.openWindow) {
return clients.openWindow('https://www.pinback.today');
return clients.openWindow(url);
}
})
);
Expand Down
Loading