Comments (5)
Thanks for double-checking my work, I had missed that nuance. Fixed in v1.0.11!
from passport-magic-login.
Published the second idea in v1.0.10. I appreciate the detailed writeup and suggestions @lukasz-wronski!
from passport-magic-login.
Thank you for the careful read of the source; I agree that this isn't an optimal implication of the API design. (even though I wish that JS-based ORMs handled this properly 😬)
Do you think something like if (!payload.destination) throw new Error('Please provide a destination')
would solve this potential hazard?
from passport-magic-login.
Hey @mxstbr, thanks for quick reaction. In fact this is discovery was made with a real system I was pentesting. Developers were confident the links are verified correctly and I've managed to login as a random user just by messing the token up.
Regarding the code change. In my opinion it would be best to catch it as soon as possible adding this exception right inside the decodeToken
function. In example like this:
export const decodeToken = (secret: string, token?: string) => {
try {
return jwt.verify(token, secret) as JwtPayload;
} catch (err) {
throw new Error('JWT incorrect or missing');
}
};
Please note that if (typeof token !== 'string')
you have now is redundant as jsonwebtoken
library already checks this in the line below:
I think it's safe to just put anything into jwt.verify
and rely on @auth0 to have all these checks implemented correctly.
If you want to make it even simplier you can make decodeToken
to directly call jwt.verify
and do no try..catch wrapping. Then your users will get more detailed error about the problem with the JWT provided. Your choice, both options seem to be right.
Let me know if I can assist you further.
from passport-magic-login.
@mxstbr One thing that I can see you've left the if (typeof token !== 'string')
and it's still working the same way as before in case I'm not adding ?token
in query string. Undefined is not a string
so it returns false. It still needs to be fixed.
from passport-magic-login.
Related Issues (20)
- Nestjs implementation HOT 4
- What's the best strategy to have sendMagicLink fail? HOT 1
- How can I edit email template
- Can clicking the link be skipped when creating a new account?
- token.ts expiry HOT 1
- Does the frontend need to verify the email address for security purposes?
- Edge Runtime compatibility HOT 1
- sendLink href has added undefined
- Unable to user req as NextApiRequest HOT 1
- fastify support HOT 2
- TypeError: user.get is not a function
- Make the code part in send customizable / overrideable
- export types HOT 1
- Send magic link without API call? HOT 1
- Is there a method to limit reusability of the callback url?
- error TS2351: This expression is not constructable. HOT 2
- Property 'callbackUrl' does not exist on type 'MagicLoginStrategy'.
- TypeError: MagicLoginStrategy is not a constructor HOT 4
- What happen, when i open the link on phone? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from passport-magic-login.