Closed emgoto closed 2 years ago
Same issue here... this is not good. I am logged in as myself but on my page https://vazaha.blog/en/9/php-frankenstein-arrays it looks like I am logged in as the commenter and my own comment (2nd one) is posted under his account.
Edit: I just deleted the comment with wrong account
I'm not sure what's the best way to reach out to the owner - @jdanyow?
Hey folks- I saw this thread. I cannot reproduce the issue. Utterances doesn't store any credentials/tokens server side so I can't think of how it would be possible for you to sign in as another user. Have you been able to post a comment as another user? If so, can you link me to the comment on github?
Any errors in the console?
^ Here's an example of me using someone else's account (sorry gjurd!)
I can't see any console errors.
gjurd isn't the most recent person to comment on my site (someone else did 24 hours ago), but he did comment about 2 weeks ago, probably the second most recent person to do so 🤔
I can only do it on my regular browser (Firefox) so I'm assuming it's somehow related to either:
Here's my thoughts on this:
This part of the code,
Uses location.search
, which might still contain the utterances
session param. Even though you've removed it and called history.replaceState
before:
https://github.com/utterance/utterances/blob/607b8ace059b8a726dea8a20541b1936a9c9ad88/src/client.ts#L8-L16
The iframe was still created with location.search
as part of its url
query param, which is used by utterances to link to the website in the issue starter post. So, if you look at @emgoto's issues, issues made by @utterances-bot has the ?utterances=
query param in the link to the website, which is the session ID. If you click the link, you'll use the session of the user who triggered the issue creation.
You can probably fix this by making sure the utterances
query param is removed before setting the value for attrs.url
.
I came across a similar issue in https://github.com/giscus/giscus-component/issues/8.
fixed, all tokens revoked, thanks for reporting!
After a person comments on my site, I can then comment using their account on any post on my site. e.g. this is not my account, but I can leave a comment with it:
I'm not sure how this is possible.