fix(react): harden image auth token handling

Aryan-Verma-999 · Aryan-Verma-999 · commit a9b03ab9956a · 2026-03-21T18:21:30.000+05:30
diff --git a/packages/react/src/views/AttachmentHandler/ImageAttachment.js b/packages/react/src/views/AttachmentHandler/ImageAttachment.js
@@ -16,23 +16,38 @@ const ImageAttachment = ({
 }) => {
   const { RCInstance } = useContext(RCContext);
   const [showGallery, setShowGallery] = useState(false);
-  const [authParams, setAuthParams] = useState('');
+  const [authParams, setAuthParams] = useState(null);
 
   useEffect(() => {
     let cancelled = false;
     RCInstance.auth.getCurrentUser().then((user) => {
-      if (!cancelled && user?.authToken && user?.userId) {
-        setAuthParams(`rc_token=${user.authToken}&rc_uid=${user.userId}`);
+      if (!cancelled) {
+        setAuthParams(
+          user?.authToken && user?.userId
+            ? `rc_token=${user.authToken}&rc_uid=${user.userId}`
+            : ''
+        );
       }
+    }).catch(() => {
+      if (!cancelled) setAuthParams('');
     });
     return () => { cancelled = true; };
   }, [RCInstance]);
 
   const withAuth = (url) => {
-    if (!url || !authParams) return url;
+    if (!url) return url;
+    // Only add auth to URLs served from our own RC host — never leak creds to 3rd parties
+    try {
+      const rcHostname = new URL(host).hostname;
+      if (new URL(url).hostname !== rcHostname) return url;
+    } catch {
+      return url; // malformed URL — skip auth
+    }
+    if (!authParams) return url;
     const sep = url.includes('?') ? '&' : '?';
     return `${url}${sep}${authParams}`;
   };
+
   const getUserAvatarUrl = (icon) => {
     const instanceHost = RCInstance.getHost();
     const URL = `${instanceHost}${icon}`;
