feat: Use POST instead of GET to log user in with Google One Tap

Author: AshCorr

dotcom-rendering/src/components/GoogleOneTap.importable.tsx

@@ -44,11 +44,9 @@ const getStage = (hostname: string): StageType => {
 
 export const getRedirectUrl = ({
 	stage,
-	token,
 	currentLocation,
 }: {
 	stage: StageType;
-	token: string;
 	currentLocation: string;
 }): string => {
 	const profileDomain = {
@@ -57,11 +55,10 @@ export const getRedirectUrl = ({
 		DEV: 'https://profile.thegulocal.com',
 	}[stage];
 	const queryParams = new URLSearchParams({
-		token,
 		returnUrl: currentLocation,
 	});
 
-	return `${profileDomain}/signin/google?${queryParams.toString()}`;
+	return `${profileDomain}/signin/google-one-tap?${queryParams.toString()}`;
 };
 
 // TODO: Do we want to use different Google Client IDs for One Tap than we use for social sign in?
@@ -87,6 +84,32 @@ const getProviders = (stage: StageType): IdentityProviderConfig[] => {
 	}
 };
 
+/**
+ * Submits the Google One Tap token to the Gateway.
+ *
+ * This is done via a form submission in order to redirect the user to Gateway
+ * in a POST request. This way we avoid including the token in the URL,
+ * which could be logged or cached and potentially expose
+ * the user's Google One Tap token.
+ *
+ * @param {string} url - The URL to submit the form to.
+ * @param {string} token - The Google One Tap token to submit.
+ */
+const submitGoogleOneTapToken = (url: string, token: string) => {
+	const form = document.createElement('form');
+	form.method = 'POST';
+	form.action = url;
+
+	const tokenInput = document.createElement('input');
+	tokenInput.type = 'hidden';
+	tokenInput.name = 'token';
+	tokenInput.value = token;
+	form.appendChild(tokenInput);
+	document.body.appendChild(form);
+
+	form.submit();
+};
+
 export const initializeFedCM = async ({
 	isSignedIn,
 }: {
@@ -166,12 +189,9 @@ export const initializeFedCM = async ({
 			credentials,
 		});
 
-		window.location.replace(
-			getRedirectUrl({
-				stage,
-				token: credentials.token,
-				currentLocation: window.location.href,
-			}),
+		submitGoogleOneTapToken(
+			getRedirectUrl({ stage, currentLocation: window.location.href }),
+			credentials.token,
 		);
 	} else {
 		// TODO: Track Ophan "FedCM" skip event here.

dotcom-rendering/src/components/GoogleOneTap.test.tsx

@@ -1,102 +1,124 @@
 import { getRedirectUrl, initializeFedCM } from './GoogleOneTap.importable';
 
 const mockWindow = ({
-	replace,
 	get,
 	enableFedCM = true,
 }: {
-	replace: jest.Mock;
 	get: jest.Mock;
 	enableFedCM?: boolean;
-}) =>
-	Object.defineProperty(globalThis, 'window', {
-		value: {
-			location: {
-				href: 'https://www.theguardian.com/uk',
-				hostname: 'm.code.theguardian.com',
-				replace,
-			},
-			navigator: { credentials: { get } },
-			...(enableFedCM ? { IdentityCredential: 'mock value' } : {}),
+}) => {
+	const form = {
+		submit: jest.fn(),
+		appendChild: jest.fn(),
+		method: undefined,
+		action: undefined,
+	};
+	const input = {
+		submit: jest.fn(),
+		type: undefined,
+		name: undefined,
+		value: undefined,
+	};
+
+	const window = {
+		location: {
+			href: 'https://www.theguardian.com/uk',
+			hostname: 'm.code.theguardian.com',
+		},
+		navigator: { credentials: { get } },
+		...(enableFedCM ? { IdentityCredential: 'mock value' } : {}),
+	};
+
+	const document = {
+		createElement: jest.fn((element) => {
+			if (element === 'form') {
+				return form;
+			} else if (element === 'input') {
+				return input;
+			} else {
+				throw new Error(`Unsupported element: ${element}`);
+			}
+		}),
+		addEventListener: jest.fn(),
+		body: {
+			appendChild: jest.fn(),
 		},
+	};
+
+	Object.defineProperty(globalThis, 'window', {
+		value: window,
+		writable: true,
+	});
+	Object.defineProperty(globalThis, 'document', {
+		value: document,
 		writable: true,
 	});
 
+	return { form, input };
+};
+
 describe('GoogleOneTap', () => {
 	it('should return the correct signin URL after constructing it with the provided stage and token', () => {
 		expect(
 			getRedirectUrl({
 				stage: 'PROD',
-				token: 'test-token',
 				currentLocation: 'https://www.theguardian.com/uk',
 			}),
 		).toEqual(
-			'https://profile.theguardian.com/signin/google?token=test-token&returnUrl=https%3A%2F%2Fwww.theguardian.com%2Fuk',
+			'https://profile.theguardian.com/signin/google-one-tap?returnUrl=https%3A%2F%2Fwww.theguardian.com%2Fuk',
 		);
 
 		expect(
 			getRedirectUrl({
 				stage: 'CODE',
-				token: 'test-token',
 				currentLocation: 'https://m.code.dev-theguardian.com/uk',
 			}),
 		).toEqual(
-			'https://profile.code.dev-theguardian.com/signin/google?token=test-token&returnUrl=https%3A%2F%2Fm.code.dev-theguardian.com%2Fuk',
+			'https://profile.code.dev-theguardian.com/signin/google-one-tap?returnUrl=https%3A%2F%2Fm.code.dev-theguardian.com%2Fuk',
 		);
 
 		expect(
 			getRedirectUrl({
 				stage: 'DEV',
-				token: 'test-token',
 				currentLocation:
 					'http://localhost/Front/https://m.code.dev-theguardian.com/uk',
 			}),
 		).toEqual(
-			'https://profile.thegulocal.com/signin/google?token=test-token&returnUrl=http%3A%2F%2Flocalhost%2FFront%2Fhttps%3A%2F%2Fm.code.dev-theguardian.com%2Fuk',
+			'https://profile.thegulocal.com/signin/google-one-tap?returnUrl=http%3A%2F%2Flocalhost%2FFront%2Fhttps%3A%2F%2Fm.code.dev-theguardian.com%2Fuk',
 		);
 	});
 
 	it('should initializeFedCM and redirect to Gateway with token on success', async () => {
 		const navigatorGet = jest.fn(() =>
 			Promise.resolve({ token: 'test-token' }),
 		);
-		const locationReplace = jest.fn();
 
-		mockWindow({
+		const { form, input } = mockWindow({
 			get: navigatorGet,
-			replace: locationReplace,
 		});
 
 		await initializeFedCM({ isSignedIn: false });
 
-		expect(navigatorGet).toHaveBeenCalledWith({
-			identity: {
-				context: 'continue',
-				providers: [
-					{
-						clientId: '774465807556.apps.googleusercontent.com',
-						configURL: 'https://accounts.google.com/gsi/fedcm.json',
-					},
-				],
-			},
-			mediation: 'required',
-		});
-
-		expect(locationReplace).toHaveBeenCalledWith(
-			'https://profile.theguardian.com/signin/google?token=test-token&returnUrl=https%3A%2F%2Fwww.theguardian.com%2Fuk',
+		expect(form.action).toBe(
+			'https://profile.theguardian.com/signin/google-one-tap?returnUrl=https%3A%2F%2Fwww.theguardian.com%2Fuk',
 		);
+		expect(form.method).toBe('POST');
+
+		expect(input.type).toBe('hidden');
+		expect(input.name).toBe('token');
+		expect(input.value).toBe('test-token');
+
+		expect(form.submit).toHaveBeenCalled();
 	});
 
 	it('should initializeFedCM and not redirect to Gateway with token on failure', async () => {
 		const error = new Error('Network Error');
 		error.name = 'NetworkError';
 
 		const navigatorGet = jest.fn(() => Promise.reject(error));
-		const locationReplace = jest.fn();
 
-		mockWindow({
+		const { form } = mockWindow({
 			get: navigatorGet,
-			replace: locationReplace,
 		});
 
 		await initializeFedCM({ isSignedIn: false });
@@ -115,19 +137,17 @@ describe('GoogleOneTap', () => {
 		});
 
 		// Don't redirect whenever there is a "NetworkError" (aka user declined prompt)
-		expect(locationReplace).not.toHaveBeenCalled();
+		expect(form.submit).not.toHaveBeenCalled();
 	});
 
 	it('should initializeFedCM and throw error when unexpected', async () => {
 		const error = new Error('window.navigator.credentials.get failed');
 		error.name = 'DOMException';
 
 		const navigatorGet = jest.fn(() => Promise.reject(error));
-		const locationReplace = jest.fn();
 
-		mockWindow({
+		const { form } = mockWindow({
 			get: navigatorGet,
-			replace: locationReplace,
 		});
 
 		await expect(initializeFedCM({ isSignedIn: false })).rejects.toThrow(
@@ -148,52 +168,46 @@ describe('GoogleOneTap', () => {
 		});
 
 		// Don't redirect whenever there is an unexpected error
-		expect(locationReplace).not.toHaveBeenCalled();
+		expect(form.submit).not.toHaveBeenCalled();
 	});
 
 	it('should not initializeFedCM when FedCM is unsupported', async () => {
 		const navigatorGet = jest.fn();
-		const locationReplace = jest.fn();
 
-		mockWindow({
+		const { form } = mockWindow({
 			get: navigatorGet,
-			replace: locationReplace,
 			enableFedCM: false,
 		});
 
 		await initializeFedCM({ isSignedIn: false });
 
 		expect(navigatorGet).not.toHaveBeenCalled();
-		expect(locationReplace).not.toHaveBeenCalled();
+		expect(form.submit).not.toHaveBeenCalled();
 	});
 
 	it('should not initializeFedCM when user is signed in', async () => {
 		const navigatorGet = jest.fn();
-		const locationReplace = jest.fn();
 
-		mockWindow({
+		const { form } = mockWindow({
 			get: navigatorGet,
-			replace: locationReplace,
 		});
 
 		await initializeFedCM({ isSignedIn: true });
 
 		expect(navigatorGet).not.toHaveBeenCalled();
-		expect(locationReplace).not.toHaveBeenCalled();
+		expect(form.submit).not.toHaveBeenCalled();
 	});
 
 	it('should not initializeFedCM when user is not in test', async () => {
 		const navigatorGet = jest.fn();
-		const locationReplace = jest.fn();
 
-		mockWindow({
+		const { form } = mockWindow({
 			get: navigatorGet,
-			replace: locationReplace,
 		});
 
 		await initializeFedCM({ isSignedIn: true });
 
 		expect(navigatorGet).not.toHaveBeenCalled();
-		expect(locationReplace).not.toHaveBeenCalled();
+		expect(form.submit).not.toHaveBeenCalled();
 	});
 });