Skip to content

Commit 614d512

Browse files
Address copilot pass 4 on #4
hideLwsAuthSection() reset memPrivKey/lastVmKid but left the pasted value in the privkey <input> DOM element. If a user re-ran diagnostics or switched to a different WebID, the privkey could be silently reused on the wrong identity. Clear privkeyInput.value too. (sign-out already does this; this catches the diagnostic-re-run path.)
1 parent c3a813d commit 614d512

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

doctor.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -405,6 +405,11 @@ function hideLwsAuthSection() {
405405
testSection.hidden = true;
406406
memPrivKey = null;
407407
lastVmKid = null;
408+
// Clear the input element too — the in-memory privkey is gone but a
409+
// pasted value would otherwise persist in the DOM across diagnostic
410+
// re-runs / WebID switches and could be accidentally reused on a
411+
// different identity.
412+
privkeyInput.value = '';
408413
}
409414

410415
oidcSignInBtn.addEventListener('click', async () => {

0 commit comments

Comments
 (0)