11import { useContext } from 'react' ;
22import { useToastBarDispatch } from '@embeddedchat/ui-elements' ;
33import RCContext from '../context/RCInstance' ;
4- import { useUserStore , totpModalStore , useLoginStore } from '../store' ;
4+ import { useUserStore , totpModalStore , useLoginStore , useTotpCredentialsStore } from '../store' ;
55
66export const useRCAuth = ( ) => {
77 const { RCInstance } = useContext ( RCContext ) ;
@@ -18,7 +18,9 @@ export const useRCAuth = () => {
1818 const setIsUserAuthenticated = useUserStore (
1919 ( state ) => state . setIsUserAuthenticated
2020 ) ;
21- const setPassword = useUserStore ( ( state ) => state . setPassword ) ;
21+ // SECURITY FIX (Issue #1263): Use ephemeral TOTP credentials store
22+ const setTotpCredentials = useTotpCredentialsStore ( ( state ) => state . setTotpCredentials ) ;
23+ const clearTotpCredentials = useTotpCredentialsStore ( ( state ) => state . clearTotpCredentials ) ;
2224 const setEmailorUser = useUserStore ( ( state ) => state . setEmailorUser ) ;
2325 const dispatchToastMessage = useToastBarDispatch ( ) ;
2426
@@ -33,7 +35,9 @@ export const useRCAuth = () => {
3335 } ) ;
3436 } else {
3537 if ( res . error === 'totp-required' ) {
36- setPassword ( password ) ;
38+ // SECURITY FIX (Issue #1263): Store credentials temporarily in ephemeral TOTP store
39+ // These are cleared immediately after TOTP completes
40+ setTotpCredentials ( userOrEmail , password ) ;
3741 setEmailorUser ( userOrEmail ) ;
3842 setIsLoginModalOpen ( false ) ;
3943 setIsTotpModalOpen ( true ) ;
@@ -55,7 +59,8 @@ export const useRCAuth = () => {
5559 setIsUserAuthenticated ( true ) ;
5660 setIsTotpModalOpen ( false ) ;
5761 setEmailorUser ( null ) ;
58- setPassword ( null ) ;
62+ // SECURITY FIX (Issue #1263): Clear ephemeral TOTP credentials after success
63+ clearTotpCredentials ( ) ;
5964 dispatchToastMessage ( {
6065 type : 'success' ,
6166 message : 'Successfully logged in' ,
@@ -64,6 +69,8 @@ export const useRCAuth = () => {
6469 }
6570 } catch ( e ) {
6671 console . error ( 'An error occurred while setting up user' , e ) ;
72+ // SECURITY FIX (Issue #1263): Clear ephemeral TOTP credentials on error
73+ clearTotpCredentials ( ) ;
6774 dispatchToastMessage ( {
6875 type : 'error' ,
6976 message :
0 commit comments