Example callback will leak user session to client about remix-auth HOT 3 CLOSED

In this snippet:

await authenticator.authenticate("user-pass", request, {
  successRedirect: "/dashboard",
  failureRedirect: "/login",
});

throw new Error("already logged in");

The error will never happen, because you defined both successRedirect and failureRedirect, so if the user is authenticated a redirect to /dashboard will be thrown, if the user is not authenticated then it will redirect to /login. There's no scenario where the data of the session is returned directly if you set both redirects.

If you don't set the failureRedirect then it will redirect if it's logged-in or return null if it's not.

If you don't set the successRedirect then it will redirect if it's not logged-in and return the user (whatever the strategies return) data if it is.

In the last scenario is when it can leak the data, but that's the responsibility of the dev using the library, the type will be correctly defined to tell you that it's returning the user data.

All of this is documented in the README

from remix-auth.

I opened the issue because it happened to me when I had an error display and I re-loaded the page. The raw json from the session was displayed in the browser.

Another way besides a reload would be to look through the network logs in the browser and re-submit the request from within a logged in user session.

from remix-auth.

I figured out was is going on: this was in a strategy I was developing and I was copying the outline of the oauth2 plugin, but returned user if logged-in instead of this.success(user, ...). in the short circuit block of "User is already authenticated".

Something to be aware of I guess. Plugins can be poorly written and leak your session 🙄.

from remix-auth.