SDK does not check applicationId of UserInfo

[peter-greenatlas]

SDK does not check applicationId of UserInfo

Description

If there are two applications (with different clientIds) running on the same domain, then the SDK will think the user is logged in, even if they are only signed into / registered for the other application.

This can be fixed by manually checking that the applicationId in the userInfo matches the clientId in the FusionAuthProviderConfig, but it feels like quite a gotcha and something that should be taken care of by the SDK.

Affects package

I've only tested with the ReactSDK, but appears to be a problem in the SDKCore

Affects versions

Tried only:

• FusionAuth 1.52.1
• @fusionauth/react-sdk: 2.4.0

Steps to reproduce

• Create two applications in the Fusionauth admin panel
• Create a React application following https://fusionauth.io/docs/sdks/react-sdk, set the clientID
• Duplicate this React application, use the other clientID
• Run both applications
• User signs into app1
• User navigates to app2 - it says they are signed in, and <RequireAuth withRoles={}/> will use the roles they were assigned in app1

Expected behavior

If a user signs into app1 and then navigates to app2, app2 should not show them as logged in

Additional context

I guess this could be considered a limitation of the Hosted Backend (that it only supports one clientId at a time), but it seems like it would be safer to check the applicationId. Rather than do this in the javascript client, would it make sense to either have /app/me take a clientId parameter, or add another endpoint that does?

Thanks