FIX with-apollo-auth example token access #4771

zapaiamarce · 2018-07-12T13:47:39Z

in some cases access to the token doesn't work in client side. this access to the token once in getInitialProps method and pass it down using props

timneutkens · 2018-07-12T14:53:31Z

examples/with-apollo-auth/lib/withApollo.js

@@ -69,7 +70,8 @@ export default App => {

      return {
        ...appProps,
-        apolloState
+        apolloState,
+        token


This is potentially dangerous as passing down the cookie means you're taking input from the user and returning it to them, which, if Next.js didn't htmlescape the getInitialProps result, would lead to an XSS vulnerability.

To be clear Next.js does htmlescape the getInitialProps result.

But, do cookies have a similar behavior maybe in a lower level? Cookies travel in the headers to the both ways. Does this represent an XSS vulnerability too?

FIX with-apollo-auth example token acces

92d5eec

timneutkens reviewed Jul 12, 2018

View reviewed changes

timneutkens approved these changes Sep 12, 2018

View reviewed changes

timneutkens merged commit ae7e532 into vercel:master Sep 12, 2018

lock bot locked as resolved and limited conversation to collaborators Sep 12, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FIX with-apollo-auth example token access #4771

FIX with-apollo-auth example token access #4771

zapaiamarce commented Jul 12, 2018

timneutkens Jul 12, 2018 •

edited

Loading

zapaiamarce Jul 17, 2018

FIX with-apollo-auth example token access #4771

FIX with-apollo-auth example token access #4771

Conversation

zapaiamarce commented Jul 12, 2018

timneutkens Jul 12, 2018 • edited Loading

Choose a reason for hiding this comment

zapaiamarce Jul 17, 2018

Choose a reason for hiding this comment

timneutkens Jul 12, 2018 •

edited

Loading