Auto refresh a page with obsolete nonce value (#7297)

* Auto refresh a page with obsolete nonce value * Log page refreshing with obsolete nonce value
2025-01-16 21:58:17 +01:00 · 2024-11-08 09:47:22 +01:00 · 2024-11-08 09:47:22 +01:00 · 405d262d9f
commit 405d262d9f
parent 85000d5a99
4 changed files with 28 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -92,6 +92,7 @@ HumHub Changelog
 - Fix #7276: Cron jobs cannot "Create public content" (since 1.15.3)
 - Fix #7278: Don't remove html tags by JS from search post record because it is done by PHP
 - Fix #7296: Fix email validation of invite new users
+- Fix #7297: Auto refresh a page with obsolete nonce value

 1.16.2 (September 5, 2024)
 --------------------------
--- a/protected/humhub/modules/live/assets/LiveAsset.php
+++ b/protected/humhub/modules/live/assets/LiveAsset.php
@ -9,6 +9,8 @@
 namespace humhub\modules\live\assets;

 use humhub\components\assets\AssetBundle;
+use humhub\modules\web\security\helpers\Security;
+use Yii;

 class LiveAsset extends AssetBundle
 {
@ -24,4 +26,16 @@ class LiveAsset extends AssetBundle
        'js/humhub.live.js',
        'js/humhub.live.poll.js',
    ];
+
+    /**
+     * @inheritdoc
+     */
+    public function init()
+    {
+        parent::init();
+
+        Yii::$app->view->registerJsConfig('live.poll', [
+            'nonce' => Security::getNonce(),
+        ]);
+    }
 }
--- a/protected/humhub/modules/live/controllers/PollController.php
+++ b/protected/humhub/modules/live/controllers/PollController.php
@ -14,6 +14,7 @@ use humhub\modules\live\components\LiveEvent;
 use humhub\modules\live\driver\Poll;
 use humhub\modules\live\models\Live;
 use humhub\modules\user\services\IsOnlineService;
+use humhub\modules\web\security\helpers\Security;
 use Yii;
 use yii\base\Exception;
 use yii\db\ActiveQuery;
@ -91,6 +92,7 @@ class PollController extends Controller
        $results['queryTime'] = time();
        $results['lastQueryTime'] = $lastQueryTime;
        $results['lastSessionTime'] = $lastSessionTime;
+        $results['nonce'] = Security::getNonce();
        $results['events'] = [];

        foreach ($this->buildLookupQuery($lastQueryTime)->all() as $live) {
--- a/protected/humhub/modules/live/resources/js/humhub.live.poll.js
+++ b/protected/humhub/modules/live/resources/js/humhub.live.poll.js
@ -198,6 +198,7 @@ humhub.module('live.poll', function (module, require, $) {
     * Handles the live update response.
     */
    PollClient.prototype.handleUpdate = function (response) {
+        this.refreshNonce(response);

        if (this.lastTs >= response.queryTime) {
            // We already have a more recent update
@ -244,6 +245,16 @@ humhub.module('live.poll', function (module, require, $) {
        }
    };

+    PollClient.prototype.refreshNonce = function (response) {
+        if (typeof response.data.nonce !== 'undefined' &&
+            typeof module.config.nonce !== 'undefined' &&
+            response.data.nonce !== module.config.nonce) {
+            // Reload current page if the nonce value has been changed since last page loading
+            module.log.info('Force page reload. Nonce (session) has changed.');
+            location.reload();
+        }
+    };
+
    PollClient.prototype.broadCast = function (type, data) {
        data = data || {};