I can leave a comment as another person on my blog

[emgoto]

After a person comments on my site, I can then comment using their account on any post on my site. e.g. this is not my account, but I can leave a comment with it:

I'm not sure how this is possible.

• My site is running with Gatsby, here's the utterances code
• I can do it on my normal browser (Firefox), but can't reproduce it if I open a new tab in incognito or try another browser

[vazaha-nl]

Same issue here... this is not good. I am logged in as myself but on my page https://vazaha.blog/en/9/php-frankenstein-arrays it looks like I am logged in as the commenter and my own comment (2nd one) is posted under his account.

Edit: I just deleted the comment with wrong account

[emgoto]

I'm not sure what's the best way to reach out to the owner - @jdanyow?

[jdanyow]

Hey folks- I saw this thread. I cannot reproduce the issue. Utterances doesn't store any credentials/tokens server side so I can't think of how it would be possible for you to sign in as another user. Have you been able to post a comment as another user? If so, can you link me to the comment on github?

Any errors in the console?

[emgoto]

^ Here's an example of me using someone else's account (sorry gjurd!)

I can't see any console errors.

gjurd isn't the most recent person to comment on my site (someone else did 24 hours ago), but he did comment about 2 weeks ago, probably the second most recent person to do so 🤔

I can only do it on my regular browser (Firefox) so I'm assuming it's somehow related to either:

• The fact that I'm already logged into my own Github account via Utterances on my site
• The fact that I view the site in local dev mode (? less likely)
• Or something related to Gatsby / static site generators

[laymonage]

Here's my thoughts on this:

This part of the code,

utterances/src/client.ts

Line 37 in 607b8ac

attrs.url = canonicalLink ? canonicalLink.href : location.origin + location.pathname + location.search;

Uses location.search, which might still contain the utterances session param. Even though you've removed it and called history.replaceState before:

utterances/src/client.ts

Lines 8 to 16 in 607b8ac

	if (session) {
	localStorage.setItem('utterances-session', session);
	delete params.utterances;
	let search = param(params);
	if (search.length) {
	search = '?' + search;
	}
	history.replaceState(undefined, document.title, location.pathname + search + location.hash);
	}

The iframe was still created with location.search as part of its url query param, which is used by utterances to link to the website in the issue starter post. So, if you look at @emgoto's issues, issues made by @utterances-bot has the ?utterances= query param in the link to the website, which is the session ID. If you click the link, you'll use the session of the user who triggered the issue creation.

You can probably fix this by making sure the utterances query param is removed before setting the value for attrs.url.

I came across a similar issue in giscus/giscus-component#8.

[jdanyow]

fixed, all tokens revoked, thanks for reporting!