From 53e71c632c37d435ec69e571f4fe8941e4ffdb74 Mon Sep 17 00:00:00 2001
From: Chaitanya Potti <chaitanya.potti@gmail.com>
Date: Sat, 9 Nov 2024 21:06:16 +0800
Subject: [PATCH] Allow only auth service urls to set loginId

---
 src/core/auth.ts | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/core/auth.ts b/src/core/auth.ts
index 34d8bf3d..3fca1365 100644
--- a/src/core/auth.ts
+++ b/src/core/auth.ts
@@ -144,6 +144,7 @@ export class Auth {
       sessionNamespace: this.options.sessionNamespace,
       sessionTime: this.options.sessionTime,
       sessionId,
+      allowedOrigin: this.options.sdkUrl,
     });
 
     if (this.options.network === WEB3AUTH_NETWORK.TESTNET || this.options.network === WEB3AUTH_NETWORK.SAPPHIRE_DEVNET) {
@@ -430,6 +431,7 @@ export class Auth {
       sessionNamespace: data.options.sessionNamespace,
       sessionTime: timeout, // each login key must be used with 10 mins (might be used at the end of popup redirect)
       sessionId: loginId,
+      allowedOrigin: this.options.sdkUrl,
     });
 
     const promise = loginSessionMgr.createSession(JSON.parse(JSON.stringify(data)));