Do not allow using withAuthUserSSR when cookies are unsigned #195

kmjennison · 2021-06-03T21:31:32Z

Is your feature request related to a problem? Please describe.
Currently, it's possible for a developer to introduce a security risk by using withAuthUserSSR alongside unsigned cookies, as described in the docs:

⚠️ Do not use this when cookies.signed is set to false. Doing so is a potential security risk, because the authed user cookie values could be modified by the client.

Describe the solution you'd like and how you'd implement it
If the config cookies.signed property is false, throw if the user tries using withAuthUserSSR.

Is this a breaking change?
Yes

Describe alternatives you've considered
We could drop withAuthUserSSR altogether if developers don't need it.

The text was updated successfully, but these errors were encountered:

kmjennison · 2021-12-19T18:13:29Z

Closed in #391.

kmjennison added enhancement New feature or request breaking The issue or PR will introduce a breaking change help wanted Extra attention is needed labels Jun 3, 2021

kmjennison mentioned this issue Jun 3, 2021

implement cookies.unified option to use unified cookie #192

Closed

kmjennison mentioned this issue Aug 7, 2021

RFC: v1 roadmap #265

Closed

24 tasks

kmjennison mentioned this issue Dec 19, 2021

Throw when using withAuthUserSSR without signed cookies #391

Merged

kmjennison closed this as completed Dec 19, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Do not allow using withAuthUserSSR when cookies are unsigned #195

Do not allow using withAuthUserSSR when cookies are unsigned #195

kmjennison commented Jun 3, 2021

kmjennison commented Dec 19, 2021

Do not allow using withAuthUserSSR when cookies are unsigned #195

Do not allow using withAuthUserSSR when cookies are unsigned #195

Comments

kmjennison commented Jun 3, 2021

kmjennison commented Dec 19, 2021