Issueid #226738 fix: Score not updating for speak with me section if …

[ajinkyapandetekdi]

…we load the assets from cloudfront

Summary by CodeRabbit

• New Features
  • Improved security for inter-window messaging by specifying target origins in message posting.
• Bug Fixes
  • Enhanced clarity and robustness of message posting operations across components.
• Style
  • Standardized formatting and improved readability in various components.

[coderabbitai]

Walkthrough

The changes involve updates to the postMessage method calls across three components: ProfileHeader, SpeakSentenceComponent, and Practice. In each case, the postMessage calls were modified to include a target origin of "*", enhancing the specificity of message posting. Additionally, minor formatting adjustments were made for consistency and readability, particularly in the SpeakSentenceComponent, without altering the underlying functionality or logic of the components.

Changes

Files	Change Summary
src/components/Assesment/Assesment.jsx, src/views/Practice/Practice.jsx	Updated postMessage calls to include a target origin of "*" for enhanced security and specificity in message posting.
src/components/DiscoverSentance/DiscoverSentance.jsx	Made formatting adjustments for consistency, including standardizing quotes and improving readability of the send function's postMessage call.

Sequence Diagram(s)

sequenceDiagram
    participant A as Component
    participant B as Window

    A->>B: postMessage(data, "*")
    B-->>A: Acknowledgment

Loading

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[sonarcloud]

Quality Gate failed

Failed conditions
52.4% Duplication on New Code (required ≤ 3%)
D Security Rating on New Code (required ≥ A)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

[coderabbitai]

Actionable comments posted: 4

Outside diff range and nitpick comments (2)

src/components/DiscoverSentance/DiscoverSentance.jsx (2)

170-180: Add error handling for the new API call.

The new API call to create learner progress looks good and is correctly gated behind the REACT_APP_POST_LEARNER_PROGRESS environment variable.

Consider adding error handling for this API call. If the API call fails, it should be caught and handled gracefully to avoid any disruption to the user flow. For example:

try {
  await axios.post(
    `${process.env.REACT_APP_LEARNER_AI_ORCHESTRATION_HOST}/${config.URLS.CREATE_LEARNER_PROGRESS}`, 
    {
      userId: localStorage.getItem("virtualId"),
      sessionId: localStorage.getItem("sessionId"), 
      subSessionId: sub_session_id,
      milestoneLevel: getSetData?.data?.currentLevel,
      language: localStorage.getItem("lang"),
    }
  );
} catch (error) {
  console.error("Failed to create learner progress:", error);
  // Handle the error, show a user-friendly message, etc.
}

---

296-297: Remove the old commented out code.

The updated conditional navigation in the handleBack function looks good. It provides flexibility to navigate to different routes based on the REACT_APP_IS_APP_IFRAME environment variable.

Consider removing the old commented out code for the conditional navigation to keep the codebase clean:

// if (process.env.REACT_APP_IS_APP_IFRAME === 'true') {
//   navigate("/");  
// } else {
//   navigate("/discover-start")
// }

Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

Commits

Files that changed from the base of the PR and between b1dad39 and 8e9f04d.

Files selected for processing (3)

• src/components/Assesment/Assesment.jsx (1 hunks)
• src/components/DiscoverSentance/DiscoverSentance.jsx (6 hunks)
• src/views/Practice/Practice.jsx (2 hunks)

Additional context used

GitHub Check: SonarCloud

src/components/DiscoverSentance/DiscoverSentance.jsx

[failure] 103-103: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

src/components/Assesment/Assesment.jsx

[failure] 347-347: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

src/views/Practice/Practice.jsx

[failure] 122-122: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

---

[failure] 689-689: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

Additional comments not posted (3)

src/components/DiscoverSentance/DiscoverSentance.jsx (1)

114-115: Provide more context on the new state variables.

Could you please provide more information on the purpose and usage of the isNextButtonCalled and enableNext state variables? It's unclear from the provided code context why these states are being updated in the handleNext function and how they are being used elsewhere in the component.

src/views/Practice/Practice.jsx (2)

Line range hint 1-11: LGTM!

The import statements look good. No changes needed.

Tools

GitHub Check: SonarCloud

[failure] 122-122: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

---

Line range hint 32-38: LGTM!

The state variable definition using useState looks good. No changes needed.

Tools

GitHub Check: SonarCloud

[failure] 122-122: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

[coderabbitai]

Restrict the target origin to trusted domains.

The formatting changes to the postMessage call improve readability. However, using "*" as the target origin allows the message to be sent to any origin, which could be a security risk if the message contains sensitive data.

Restrict the target origin to trusted domains instead of using "*". For example:

window.parent.postMessage(
  {
    score: score,
    message: "all-test-rig-score",
  },
  "https://trusted-domain.com"
);

Tools

GitHub Check: SonarCloud

[failure] 103-103: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

[coderabbitai]

Security Issue: Specify the exact target origin instead of using "*".

Using "*" as the target origin in the postMessage call allows the message to be sent to any window, which can lead to security vulnerabilities. It is recommended to specify the exact origin of the intended recipient instead.

To address this, replace "*" with the specific origin URL:

- window.parent.postMessage({ type: "restore-iframe-content" }, "*");
+ window.parent.postMessage({ type: "restore-iframe-content" }, "https://example.com");

Make sure to replace "https://example.com" with the actual origin URL of the intended recipient.

Committable suggestion was skipped due to low confidence.

Tools

GitHub Check: SonarCloud

[failure] 347-347: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

[coderabbitai]

Security Issue: Specify trusted domain instead of "*" for postMessage target origin.

Using "*" as the target origin in postMessage is a security risk because it allows sending messages to any origin. This can potentially leak sensitive data to untrusted sources.

Fix this by replacing "*" with the specific trusted domain that is allowed to receive the message. For example:

- window.parent.postMessage({score: score, message: "all-test-rig-score"}, "*");
+ window.parent.postMessage({score: score, message: "all-test-rig-score"}, "https://trusted-domain.com");

Committable suggestion was skipped due to low confidence.

Tools

GitHub Check: SonarCloud

[failure] 122-122: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

[coderabbitai]

Security Issue: Specify trusted domain instead of "*" for postMessage target origin.

Using "*" as the target origin in postMessage is a security risk because it allows sending messages to any origin. This can potentially leak sensitive data to untrusted sources.

Fix this by replacing "*" with the specific trusted domain that is allowed to receive the message. For example:

- window.parent.postMessage({ type: "stringLengths", length }, "*");
+ window.parent.postMessage({ type: "stringLengths", length }, "https://trusted-domain.com");

Committable suggestion was skipped due to low confidence.

Tools

GitHub Check: SonarCloud

[failure] 689-689: Origins should be verified during cross-origin communications

Specify a target origin for this message.

See more on SonarCloud

[gouravmore]

Merged the PR for now - later we need to add whitelist urls as config to make this work