-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve #144 & avoid misusing Refresh-token as Auth-token for Authorisation #145
base: develop
Are you sure you want to change the base?
Conversation
- Update version number for release
Release/v0.4.1
Chiming in here to add that this is a breaking change for existing projects. As mentioned in #136 the Wordpress example in the offical next.js repo uses refreshTokens to preview draft posts so I guess a number of projects adopted this approach. Would be a bummer if an update breaks these sites. |
I thank you for your comment in first place. |
@majhoolsoft thx for your feedback on this. |
Yes. refresh token will no longer be accepted for mutation requests. |
This is the article I wrote to instruct developers who may need to know more about my solution. |
The longer the Next.js example promotes the bad practice allowed by this bug, I suspect it will become more difficult for maintainers to take action on it later. And, well, considering that 2023 is quite a while "later" already – if the PR had been merged in 2021 or early 2022, would things have been different? As an upstream dependency of the official Next.js I almost started following the examples/cms-wordpress preview role-based security vulnerability · Issue #29877 · vercel/next.js
And the complete response from Vercel before locking the issue comments:
So I'm not sure that Vercel cares much about investigating or fixing the example without a "verifiable reproduction". Somewhat understandable considering the scope of their project, but the opaque dismissal of vercel/next.js#29877 concerns me nonetheless. Introducing a breaking change in this plugin might probably result in a "verifiable reproduction" of a failing example downstream, and thus hopefully prevent further proliferation of unquestioned reliance on #144 as a feature instead of a bug. |
The more I think about this the more I conclude that whether this is a bug / security issue depends on how the tokens are generated and used. I agree that using a long-lived token with admin privileges is not safe. However, there a many real world use cases where the frontend does not need to be able to do mutations but instead needs read-only access to unpublished posts for live previewing. In this scenario, using a long-lived token with limited permissions (such as WP's That's why I suggest–instead of changing the current behavior–to clarify in the readme that both |
I also wonder how big the security gain would be with your proposed change: |
#144 #136 ...
Bug:
If we use refresh token instead of auth/access token in request headers (for the ones which need authorization), it works! And it doesn't matter how long we use it.
This is also prone to MITM attacks when using http protocol.
Bug fix:
This update prevents (mutation) execution for requests which have refreshToken set in their header, instead of accessToken .
Feel free to comment