Skip to content

add getEmbeddedKey #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
andrewkmin merged 2 commits into from
Apr 1, 2025
Merged

add getEmbeddedKey #64

andrewkmin merged 2 commits into from
Apr 1, 2025

Conversation

@andrewkmin
Copy link
Contributor

@andrewkmin andrewkmin commented Mar 11, 2025
edited
Loading

$title

SDK counterpart: tkhq/sdk#533

@andrewkmin andrewkmin force-pushed the andrew/expose-get-embedded-key branch from 88a89ca to 22aecef Compare March 11, 2025 17:30
@andrewkmin andrewkmin mentioned this pull request Mar 11, 2025
Merged
r-n-o
r-n-o reviewed Mar 16, 2025
View reviewed changes
auth/index.html
Comment on lines 1250 to 1281
/**
* Function triggered when GET_EMBEDDED_KEY event is received.
* @param {string} requestId: idempotency key
*/
var onGetEmbeddedKey = async function (requestId) {
const embeddedKey = await TKHQ.getEmbeddedKey();

TKHQ.sendMessageUp("EMBEDDED_KEY", embeddedKey, requestId);
};
Copy link
Collaborator

@r-n-o r-n-o Mar 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the use case for this? This gives the parent page access to the key that's created in the iframe. Parent apps using this would be better served using the parent's local storage since it'd be equivalent security-wise?

The problem I see is that this change applies equally to parent pages who want to use this event, and parent pages who do not. Because this API exists it means we can't guarantee it won't be used.

Copy link
Collaborator

@r-n-o r-n-o Mar 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is maybe acceptable for auth, but seems too dangerous for import/export frames. In the export frame, the embedded key decrypts the export bundle so it should be considered especially sensitive.

@andrewkmin andrewkmin force-pushed the andrew/expose-get-embedded-key branch from 22aecef to 911e6c8 Compare March 31, 2025 17:17
@andrewkmin andrewkmin merged commit 147193b into main Apr 1, 2025
6 checks passed
@andrewkmin andrewkmin deleted the andrew/expose-get-embedded-key branch April 1, 2025 17:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@r-n-o r-n-o r-n-o approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewkmin @r-n-o