search

near / near-wallet

Web wallet for NEAR Protocol which stores keys in browser's localStorage
https://wallet.near.org
MIT License
213 stars 174 forks source link

open `redirectUrl` even if the linkdrop is invalid #1962

Open think-in-universe opened 3 years ago

think-in-universe commented 3 years ago

Problem

In the case of claiming NFT drop via linkdrop, it happens sometimes that the wallet didn't jump to redirectUrl automatically after user claimed the linkdrop (root cause is not sure yet, still under investigation). As a workaround, wallet may still redirect to the redirectUrl as long as the user has logged in wallet, even if the linkdrop is invalid.

Expected Behavior

Wallet still redirect to redirectUrl even if the linkdrop is invalid, as long as the user has logged in wallet.

Security Concern: this will bring some phishing risk, since the redirect will happen even if the linkdrop is invalid. May deliver this together with https://github.com/near/near-wallet/issues/1963, to ensure user has reviewed the redirect url before move forward.

Steps to reproduce

  1. Open any invalid linkdrop link with redirectUrl parameter
  2. Wallet didn't jump to redirectUrl since it only happens now after claim linkdrop successfully
stefanopepe commented 3 years ago

Do you have a few failed transactions, for forensics? Maybe we can found something in the logs and check what didn't go well

think-in-universe commented 3 years ago

@stefanopepe I checked all the reported accounts and didn't see any failed transactions, so still confused about how the failure happens and we didn't yet find a way to reproduce the redirect failure by ourselves.

stefanopepe commented 3 years ago

Any list of accounts previously affected? I can try to dig in the error logs

think-in-universe commented 3 years ago

@stefanopepe yeah. I'll send you. there're a few as collected by @RubyJiao