Merge pull request #211 from stanleyowen/otp

Resolve OTP Code Issue and Revoke Object URL After Downloading OTP
stanleyowen · Jun 11, 2021 · 0b3cc38 · 0b3cc38
2 parents 8a908da + dce43b7
commit 0b3cc38
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 7 deletions.
diff --git a/client/src/components/account.component.js b/client/src/components/account.component.js
@@ -10,11 +10,10 @@ import { faCheck, faInfo, faKey, faTimes, faSignOutAlt, faEyeSlash, faEye, faExc
 import { getCSRFToken, openModal, closeModal } from '../libraries/validation'
 import { setNotification, NOTIFICATION_TYPES } from '../libraries/setNotification'
 
-const sanitizer = dompurify.sanitize
-
 const Account = ({ userData }) => {
     const {email, thirdParty, security, authenticated, isLoading, server: SERVER_URL} = userData
     const {valid, invalid} = authenticated ? security['backup-codes'] : []
+    const sanitizer = dompurify.sanitize
 
     const [password, setPassword] = useState({
         oldPassword: '',
@@ -26,7 +25,7 @@ const Account = ({ userData }) => {
         password: false,
         newPassword: false,
         confirmPassword: false,
-        mfa: false 
+        mfa: false
     })
     const [data, setData] = useState({
         tokenId: '',
@@ -43,7 +42,7 @@ const Account = ({ userData }) => {
             ['password', 'mfa', 'otp', 'backup-code'].forEach(a => {
                 const modal = document.getElementById(`${a}-modal`)
                 const background = document.getElementById(`${a}-bg`)
-                if(e.target === background && !properties.disabled){
+                if(e.target === background && !properties.disabled) {
                     modal.classList.remove('showModal')
                     modal.classList.add('closeModal')
                     background.classList.remove('showBackground')
@@ -135,8 +134,11 @@ const Account = ({ userData }) => {
         tempLink.dataset.downloadurl = ['application/octet-stream', tempLink.download, tempLink.href].join(':')
         document.body.appendChild(tempLink)
         tempLink.click()
-        document.body.removeChild(tempLink)
         btn.innerText = "Downloaded"
+        setTimeout(() => {
+            document.body.removeChild(tempLink)
+            window.URL.revokeObjectURL(tempLink)
+        }, 500)
         setTimeout(() => btn.innerText = "Download", 3000)
     }
 

diff --git a/server/lib/passport.js b/server/lib/passport.js
@@ -398,8 +398,8 @@ passport.use('verifyOTP', new localStrategy({ usernameField: 'email', passwordFi
     else
         OTPToken.findById(tokenId, (err, data) => {
             if(err) return done(err, false)
-            else if(!data) return done(null, false, { status: 400, message: MSG_DESC[38] })
-            else if(data && _id == decrypt(data.userId, 2) && token === decrypt(data.token, 2))
+            else if(!data || _id != decrypt(data.userId, 2) || token !== decrypt(data.token, 2)) return done(null, false, { status: 400, message: MSG_DESC[38] })
+            else if(data)
                 data.deleteOne(err => {
                     if(err) return done(err, false)
                     return done(null, req.body, { status: 200, message: MSG_DESC[5] })