Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Major security flaw - loadFromCookie

See original GitHub issue

There seems to be a major security flaw when using client.authStore.loadFromCookie(). The cookie value is clear text and can easily be changed. loadFromCookie() set the model data from the cookie value without validating anything (except that the token is not expired).

That means you can never trust client.authStore.model even if client.authStore.valid returns true.

I think it would be far better to use a jwt with the desired model data as the cookie value and do really verify the token (not just the expire date).

Issue Analytics

  • State:closed
  • Created 10 months ago
  • Comments:14 (8 by maintainers)

github_iconTop GitHub Comments

3reactions
ganigeorgievcommented, Nov 25, 2022

I’ve updated the examples and I’ve added a note in the loadFromCookie jsdoc that you may need to call authRefresh() in order to trust the isValid call. It is published as a new v0.8.1 release so that the docs changes are available on autocomplete and in the npm package readme.

1reaction
PatrickGcommented, Nov 25, 2022

@PatrickG I’ve created a PR in the tutorial repo - huntabyte/projecthunt#4.

If you aware of other tutorials feel free to post them here or directly file a PR/issue in the authors repo.

Thank you. I’ve created the same pr for another repo. I hope it is okay that i copied your text for this 😃

If you search for pocketbase loadFromCookie, there are many projects that make this mistake. I’ve no time to check all/report it to all.

Read more comments on GitHub >

github_iconTop Results From Across the Web

The security flaw that's terrified the internet | PBS NewsHour
Lodged in an extensively used utility called Log4j, the flaw lets internet-based attackers easily seize control of everything from industrial ...
Read more >
Critical Log4Shell security flaw lets hackers compromise ...
Named Log4Shell, the vulnerability could allow attackers to take control of affected servers, a situation that has already prompted hackers to ...
Read more >
Known Exploited Vulnerabilities Catalog | CISA
A vulnerability in the web interface of the Cisco Adaptive Security Appliance (ASA) could allow an unauthenticated, remote attacker to cause an affected...
Read more >
The Log4j security flaw could impact the entire internet. Here's ...
A critical flaw in widely used software has cybersecurity experts raising alarms and big companies racing to fix the issue.
Read more >
Recently uncovered software flaw 'most critical vulnerability of ...
Meyers and the security expert Marcus Hutchins said Minecraft users were already using it to execute programs on the computers of other users...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Can't get type declarations to work in ES Module project

Next page

Problems with vite