CORVID BUG: wix-router woes

I am having a major problem with the wix-router generating duplicate (ghost) events emanating from the backend/routers.js _Router function.

In the normal scheme of things this may not be an issue BUT for the project I am trying to implement this is a major issue. Essentially I have code that implements defense against a CSRF Attack . Essentially I have a unique id that I expect to find in the inbound request (also known as a NONCE ) when I see it I remove my copy so that I can reject any subsequent duplicate requests to my site.

Guess what - I am seeing duplicate requests. because my CSRF defense code is working! :slight_smile:

This causes a problem in that the current session that I am trying to set up does complete successfully during the first request coming in. I have logs to show this (see below) which I have generated from the Site Monitoring Service. However the second request begins processing before the first completes and hits the CSRF check before the first route completes. The first route is then pre-empted and an error page loads instead.

The application this is associated with is a series of Custom Social Media Login buttons (see below).

The flow I am seeing looks like this

Where I have marked the problem is where the duplicate router event is occuring. In the case of facebook you nominate a redirect URL and it gets called with two pieces of information:

One piece of information is the state query parameter (shown above) the second is a one time use code that you convert into an access token. The state is what is used to detect a CSRF attack.

Here is an example of the router debug data that I am getting:
In the first screenshot You will see the time that the request was made and the state value circled in red.

Again as with the first screen shot this shows that time that the request was made - 314ms after the first one.It shows the exact same state value. BUT interestingly it also shows that the request came from the router URL.

I have also tried to fix this by using a beforeRouter check. The problem is that both requests are being handled in the same SPA context so the bad request always overrides the good one.

By using a before Router you can see that the first request is completing and actually being redirected to a different URL however the exact same duplication occurs.

here is the code that is used for the redirect. Note that the URL appends a new path and changes the query parameters.:

The Project:

I am building a custom login screen that includes three social network login buttons:

These buttons are not available for customization in Wix so I am on a journey to implement this using the raw https: REST APIs that the respective social networks offer.

My solution is to use the wix-router to handle the OAuth redirect that is required per the specifications of each Social network.

The only other mechanism that I don’t like as it is ANTI Corvid :wink: is to use the javascript APIs in an HTML Component which adds additional messaging between the page code and the component. In addition there are certain pieces of information that need to remain “secret” for the login flows to be secure so the router IMHO is the best solution.

So far I have managed to get the authentication process to work well with Facebook and Twitter BUT I am unable to load the page needed to complete the sessionToken activation.