Merge pull request #3817 from mozilla/mntor-2608

Prevent reading of user on dashboard if there is no session
mozilla · Dec 5, 2023 · 3f6b870 · 3f6b870
2 parents 5cacd73 + c6a51aa
commit 3f6b870
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 11 deletions.
diff --git a/src/app/(nextjs_migration)/(authenticated)/user/breaches/page.tsx b/src/app/(nextjs_migration)/(authenticated)/user/breaches/page.tsx
@@ -23,6 +23,7 @@ import { BreachesTable } from "../../../components/server/BreachesTable";
 import { getComponentAsString } from "../../../functions/server/getComponentAsString";
 import { getCountryCode } from "../../../../functions/server/getCountryCode";
 import { getNonce } from "../../../functions/server/getNonce";
+import { SignInButton } from "../../../components/client/SignInButton";
 
 export function generateMetadata() {
   const l10n = getL10n();
@@ -68,14 +69,15 @@ declare global {
 
 export default async function UserBreaches() {
   const session = await getServerSession(authOptions);
+  if (!session?.user?.subscriber) {
+    return <SignInButton autoSignIn />;
+  }
+
   const l10n = getL10n();
   const headerList = headers();
 
   const userBreachesData: UserBreaches = await getUserBreaches({
-    // `(authenticated)/layout.tsx` ensures that `session` is not undefined,
-    // so the type assertion should be safe:
-    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-    user: session!.user,
+    user: session.user,
     options: {
       countryCode: getCountryCode(headerList),
     },

diff --git a/src/app/(nextjs_migration)/(authenticated)/user/layout.tsx b/src/app/(nextjs_migration)/(authenticated)/user/layout.tsx
@@ -2,7 +2,6 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-import { v5 as uuidv5 } from "uuid";
 import { ReactNode } from "react";
 import { getServerSession } from "next-auth";
 import Image from "next/image";
@@ -29,11 +28,11 @@ export type Props = {
 
 const MainLayout = async (props: Props) => {
   const session = await getServerSession(authOptions);
-  if (!session) {
+  if (!session?.user?.subscriber) {
     return <SignInButton autoSignIn />;
   }
 
-  const userId = session?.user?.subscriber?.fxa_uid ?? "";
+  const userId = session.user.subscriber.fxa_uid ?? "";
 
   if (!userId) {
     logger.error("No user ID for telemetry");

diff --git a/src/app/(nextjs_migration)/(authenticated)/user/settings/page.tsx b/src/app/(nextjs_migration)/(authenticated)/user/settings/page.tsx
@@ -21,7 +21,6 @@ import { getBreachesForEmail } from "../../../../../utils/hibp";
 import { getSha1 } from "../../../../../utils/fxa";
 import { getSubscriberById } from "../../../../../db/tables/subscribers";
 import { getNonce } from "../../../functions/server/getNonce";
-import { getEnabledFeatureFlags } from "../../../../../db/tables/featureFlags";
 
 const emailNeedsVerificationSub = (email: EmailRow) => {
   const l10n = getL10n();
@@ -153,9 +152,7 @@ export default async function Settings() {
   if (!session || !session.user?.subscriber) {
     return redirect("/");
   }
-  const enabledFlags = await getEnabledFeatureFlags({
-    email: session.user.email,
-  });
+
   // Re-fetch the subscriber every time, rather than reading it from `session`
   // - if the user changes their preferences on this page, the JSON web token
   // containing the subscriber data won't be updated until the next sign-in.