Fix TypeError for non-string action values in postMessage handler

ErkoRisthein · ErkoRisthein · commit 48a51493b9ad · 2026-01-06T16:25:00.000+02:00
Address code review feedback:
- Add typeof check to reject non-string action values early
- Use startsWith() safely after confirming action is a string
- Add test cases for action as object, number, and array
diff --git a/src/services/WebExtensionService.ts b/src/services/WebExtensionService.ts
@@ -44,7 +44,8 @@ export default class WebExtensionService {
   }
 
   private receive(event: { data: ExtensionResponse }): void {
-    if (!event.data?.action?.startsWith("web-eid:")) return;
+    if (typeof event.data?.action !== "string") return;
+    if (!event.data.action.startsWith("web-eid:")) return;
 
     const message       = event.data;
     const suffix        = ["success", "failure", "ack"].find((s) => message.action.endsWith(s));
diff --git a/src/services/__tests__/WebExtensionService-test.ts b/src/services/__tests__/WebExtensionService-test.ts
@@ -62,6 +62,42 @@ describe("WebExtensionService", () => {
 
       expect(console.warn).not.toHaveBeenCalled();
     });
+
+    it("should ignore messages with action as an object", async () => {
+      jest.spyOn(console, "warn").mockImplementation();
+
+      window.postMessage({ action: { id: "123", _t: "456" } }, "*");
+      await new Promise((resolve) => setTimeout(resolve));
+
+      expect(console.warn).not.toHaveBeenCalled();
+    });
+
+    it("should ignore messages with action as an object with startsWith property", async () => {
+      jest.spyOn(console, "warn").mockImplementation();
+
+      window.postMessage({ action: { startsWith: "2022-10-12", endsWith: "2026-10-12" } }, "*");
+      await new Promise((resolve) => setTimeout(resolve));
+
+      expect(console.warn).not.toHaveBeenCalled();
+    });
+
+    it("should ignore messages with action as a number", async () => {
+      jest.spyOn(console, "warn").mockImplementation();
+
+      window.postMessage({ action: 12345 }, "*");
+      await new Promise((resolve) => setTimeout(resolve));
+
+      expect(console.warn).not.toHaveBeenCalled();
+    });
+
+    it("should ignore messages with action as an array", async () => {
+      jest.spyOn(console, "warn").mockImplementation();
+
+      window.postMessage({ action: ["web-eid:test"] }, "*");
+      await new Promise((resolve) => setTimeout(resolve));
+
+      expect(console.warn).not.toHaveBeenCalled();
+    });
   });
 
   describe("action web-eid:warning", () => {

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,8 @@ export default class WebExtensionService {`
`44`	`44`	`}`
`45`	`45`
`46`	`46`	`private receive(event: { data: ExtensionResponse }): void {`
`47`		`- if (!event.data?.action?.startsWith("web-eid:")) return;`
	`47`	`+ if (typeof event.data?.action !== "string") return;`
	`48`	`+ if (!event.data.action.startsWith("web-eid:")) return;`
`48`	`49`
`49`	`50`	`const message = event.data;`
`50`	`51`	`const suffix = ["success", "failure", "ack"].find((s) => message.action.endsWith(s));`