fix: disallow original nonce being send to verify

rotki · Mar 20, 2024 · 48c8441 · 48c8441
1 parent e1290e6
commit 48c8441
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 29 deletions.
diff --git a/components/checkout/pay/CardPayment.vue b/components/checkout/pay/CardPayment.vue
@@ -54,6 +54,8 @@ const valid = logicAnd(accepted, formValid);
 const processing = logicOr(paying, pending);
 const disabled = logicOr(processing, initializing, formInitializing, success);
 
+const { addCard, createCardNonce } = usePaymentCardsStore();
+
 function updatePending() {
   emit('update:pending', true);
 }
@@ -79,33 +81,30 @@ async function submit() {
   try {
     const { nonce, bin } = await get(cardForm).submit();
 
+    const savedCard = get(card);
+
+    const paymentToken = savedCard
+      ? savedCard.token
+      : await addCard({
+        paymentMethodNonce: nonce,
+      });
+
+    const paymentNonce = await createCardNonce({
+      paymentToken,
+    });
+
     const options: ThreeDSecureVerifyOptions = {
       // @ts-expect-error type is missing
       onLookupComplete(_: any, next: any) {
         next();
       },
       removeFrame: () => updatePending(),
       amount: get(plan).finalPriceInEur,
-      nonce,
+      nonce: paymentNonce,
       bin,
       challengeRequested: true,
     };
 
-    const cardVal = get(card);
-
-    const paymentToken = cardVal
-      ? cardVal.token
-      : await addCard({
-        paymentMethodNonce: nonce,
-      });
-
-    const paymentNonce = await createCardNonce({
-      paymentToken,
-    });
-
-    if (paymentNonce)
-      options.nonce = paymentNonce;
-
     set(verify, true);
 
     btThreeDSecure.on('authentication-modal-close', onClose);
@@ -154,18 +153,18 @@ function clearError() {
   set(error, null);
 }
 
+const stopWatcher = watchEffect(() => {
+  if (get(success))
+    redirect();
+});
+
 function redirect() {
   stopWatcher();
   // redirect happens outside of router to force reload for csp.
   const url = new URL(`${window.location.origin}/checkout/success`);
   window.location.href = url.toString();
 }
 
-const stopWatcher = watchEffect(() => {
-  if (get(success))
-    redirect();
-});
-
 const btClient: Ref<Client | null> = ref(null);
 
 onBeforeMount(async () => {
@@ -197,8 +196,6 @@ onUnmounted(() => {
 });
 
 const css = useCssModule();
-
-const { addCard, createCardNonce } = usePaymentCardsStore();
 </script>
 
 <template>
@@ -207,11 +204,11 @@ const { addCard, createCardNonce } = usePaymentCardsStore();
       <SavedCardDisplay
         v-if="card"
         ref="cardForm"
-        v-model:form-valid="formValid"
-        v-model:initializing="formInitializing"
         :card="card"
         :disabled="disabled"
         :client="btClient"
+        @update:form-valid="formValid = $event"
+        @update:initializing="formInitializing = $event"
       />
       <CardForm
         v-else

diff --git a/store/payments/cards.ts b/store/payments/cards.ts
@@ -40,9 +40,9 @@ export const usePaymentCardsStore = defineStore('payments/cards', () => {
       const parsed = SavedCard.parse(response);
       return parsed.token;
     }
-    catch (error) {
+    catch (error: any) {
       logger.error(error);
-      return '';
+      throw new Error(error.message);
     }
   };
 
@@ -73,9 +73,9 @@ export const usePaymentCardsStore = defineStore('payments/cards', () => {
       );
       return response.paymentNonce;
     }
-    catch (error) {
+    catch (error: any) {
       logger.error(error);
-      return '';
+      throw new Error(error.message);
     }
   };