Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Include message body in 302 responses #399

Closed
wants to merge 3 commits into from
Closed

Include message body in 302 responses #399

wants to merge 3 commits into from

Conversation

michielvangendt
Copy link

Description

The 302 responses from the auth API do not contain a message body. This is in conflict with the RFCs below and causes Traefik (a reverse proxy) to invalidate the responses. In this pull request, I add a response body to the 302 responses.

References

All 1xx (Informational), 204 (No Content), and 304 (Not Modified) responses must not include a message-body. All other responses do include a message-body, although the body may be of zero length.

The server's response payload usually contains a short hypertext note with a hyperlink to the different URI(s).

@michielvangendt michielvangendt requested a review from a team as a code owner May 18, 2021 14:26
@vercel
Copy link

vercel bot commented May 18, 2021

Someone is attempting to deploy a commit to the Auth0 Team on Vercel.

A member of the Team first needs to authorize it.

@adamjmcgrath
Copy link
Contributor

Thanks @michielvangendt - thanks for raising this, looks good

Can we do what Next.js does and add res.write('')? eg

https://github.com/vercel/next.js/blob/canary/packages/next/next-server/server/api-utils.ts#L220

It will keep this fix consistent with how the redirect works in withPageAuthRequired

@michielvangendt
Copy link
Author

michielvangendt commented May 18, 2021

Hi @adamjmcgrath, it appears that their implementation (with res.write('')) doesn't work with Traefik as well. I will open a PR/issue for Next.js tomorrow!

@adamjmcgrath
Copy link
Contributor

it appears that their implementation (with res.write('')) doesn't work as well. I will open a PR/issue for Next.js tomorrow!

ok, np - can you reference this PR when you do? Thanks @michielvangendt

@adamjmcgrath
Copy link
Contributor

@michielvangendt - when vercel/next.js#25257 is merged can you update this to match and I'll go ahead and approve this.

kodiakhq bot pushed a commit to vercel/next.js that referenced this pull request Jul 9, 2021
### Description
The redirect responses from the redirect function do not contain a message body. This is in conflict with the RFCs below and causes Traefik (a reverse proxy) to invalidate the responses. In this pull request, I add a response body to the redirect responses.

### References
- https://datatracker.ietf.org/doc/html/rfc7230#section-3.3
> All 1xx (Informational), 204 (No Content), and 304 (Not Modified) responses must not include a message-body. All other responses do include a message-body, although the body may be of zero length.

- https://datatracker.ietf.org/doc/html/rfc7231#section-6.4.3
> The server's response payload usually contains a short hypertext note with a hyperlink to the different URI(s).

- traefik/traefik#4456
- auth0/nextjs-auth0#399
@michielvangendt
Copy link
Author

@adamjmcgrath the PR in next.js is merged!

@@ -54,6 +54,6 @@ export default function logoutHandlerFactory(
res.writeHead(302, {
Location: returnURL
});
res.end();
res.end(returnURL);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just noticed that you need to update lines 31 and 43

@@ -62,6 +62,6 @@ export default function callbackHandlerFactory(
res.writeHead(302, {
Location: openidState.returnTo || config.baseURL
});
res.end();
res.end(openidState.returnTo || config.baseURL);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also - I think we should escape these (and the others)

It's probably overkill because modern browsers wont serve this content, but openidState.returnTo can contain reflected user input from /api/auth/login?returnTo=user-input

I also notice that express escapes the content in 302

There's a util method to escape html here https://github.com/auth0/nextjs-auth0/blob/main/src/utils/errors.ts#L26-L34

FYI @lzychowski

flybayer pushed a commit to blitz-js/next.js that referenced this pull request Aug 19, 2021
### Description
The redirect responses from the redirect function do not contain a message body. This is in conflict with the RFCs below and causes Traefik (a reverse proxy) to invalidate the responses. In this pull request, I add a response body to the redirect responses.

### References
- https://datatracker.ietf.org/doc/html/rfc7230#section-3.3
> All 1xx (Informational), 204 (No Content), and 304 (Not Modified) responses must not include a message-body. All other responses do include a message-body, although the body may be of zero length.

- https://datatracker.ietf.org/doc/html/rfc7231#section-6.4.3
> The server's response payload usually contains a short hypertext note with a hyperlink to the different URI(s).

- traefik/traefik#4456
- auth0/nextjs-auth0#399
@adamjmcgrath
Copy link
Contributor

Closing due to innactivity - happy to reopen if you want to finish this off

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants