fix(security): remove GitHub access token from client-exposed session#2875
fix(security): remove GitHub access token from client-exposed session#2875BCA-krishna wants to merge 3 commits into
Conversation
GSSoC Label Checklist 🏷️@Priyanshu-byte-coder — please apply the appropriate labels before merging: Difficulty (pick one):
Quality (optional):
Validation (required to score):
|
Priyanshu-byte-coder
left a comment
There was a problem hiding this comment.
Good security fix — consistently replaces session.accessToken with server-side getAccessToken() across all routes. Large but systematic change.
|
Approved — has merge conflicts now (58 files changed, likely conflicts from recent activity). Please rebase on main. |
37dcd97 to
5d03205
Compare
Done! I've rebased on the latest main, resolved the conflicts, and pushed the updated branch. Thanks for the review! |
|
Removing the GitHub access token from the client-exposed session is a change we want — but 59 files with a failing check is too much surface to review safely in one PR. Please fix CI and, if possible, split into the session/auth core change plus follow-ups. |
- Stop copying accessToken onto the NextAuth session object in the session() callback (auth.ts), since session is exposed to client-side JS via useSession()/getSession() and was readable via XSS (Priyanshu-byte-coder#2845) - Add getAccessToken() helper (lib/get-session-token.ts) that reads the token server-side only, directly from the encrypted JWT cookie via next-auth/jwt's getToken() - Migrate all API routes that previously read session.accessToken to use the new server-only getAccessToken() helper instead - Update/add tests to mock getAccessToken() and verify accessToken is no longer present on the session object Closes Priyanshu-byte-coder#2844
b4143a8 to
2fa216f
Compare
Closes #2845
Problem
The NextAuth
session()callback copied the GitHub access token ontothe
sessionobject. Sincesessionis exposed to client-side code viauseSession()/getSession(), the raw GitHub token was readable by anyJavaScript running on the page — including a successful XSS payload —
giving full access to the user's GitHub account with the granted scopes.
Fix
session.accessToken = token.accessTokenfrom thesession()callback in
src/lib/auth.ts. The token now stays only in theencrypted, HttpOnly JWT cookie that NextAuth manages — it never reaches
the browser.
getAccessToken()helper insrc/lib/get-session-token.tsthat reads the token server-side only, directly from the JWT via
next-auth/jwt'sgetToken().session.accessTokentocall
getAccessToken()instead (29 route files).getAccessToken()and to assert thataccessTokenis never present on the session object returned to theclient.
Testing
npm run type-check— 0 errorsnpm run lint— 0 errors (5 pre-existing unrelated<img>warnings)npm test— same failure count asmain(all pre-existing/unrelatedto this change — verified via
git stashcomparison); no new failuresintroduced by this fix