fix(security): stop exposing GitHub access token on client-visible session (#2845)#3132
Open
BCA-krishna wants to merge 1 commit into
Open
fix(security): stop exposing GitHub access token on client-visible session (#2845)#3132BCA-krishna wants to merge 1 commit into
BCA-krishna wants to merge 1 commit into
Conversation
…ssion The NextAuth session() callback was copying the GitHub OAuth access token onto the session object, which is returned to the browser via useSession()/getSession(). Any JavaScript running on the page — including a successful XSS payload — could read it directly. Changes: - Remove session.accessToken assignment from the session() callback in src/lib/auth.ts; the token now stays only in the encrypted HttpOnly JWT cookie that NextAuth manages and never reaches the browser. - Add getAccessToken() to src/lib/get-session-token.ts: a server-only helper that reads the token directly from the JWT via next-auth/jwt getToken(), for use in API route handlers. - Update test/auth.test.ts to assert that accessToken is NOT present on the session object (was asserting the opposite before this fix). API routes that still read session.accessToken will be migrated to getAccessToken() in a follow-up PR to keep this change reviewable. Closes Priyanshu-byte-coder#2845
GSSoC Label Checklist 🏷️@Priyanshu-byte-coder — please apply the appropriate labels before merging: Difficulty (pick one):
Quality (optional):
Validation (required to score):
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2845
What changed and why
The NextAuth
session()callback insrc/lib/auth.tswas copying theraw GitHub OAuth access token onto the
sessionobject. Sincesessionis returned to the browser via
useSession()/getSession(), anyJavaScript on the page — including an XSS payload — could read the token
and gain full GitHub API access with the granted scopes.
Files changed (3 files only)
src/lib/auth.ts— removedsession.accessToken = token.accessTokenfrom the
session()callback. Token stays in the encrypted HttpOnlyJWT cookie only.
src/lib/get-session-token.ts— addedgetAccessToken(), aserver-onlyhelper that reads the token directly from the JWT vianext-auth/jwt'sgetToken(), for use in API route handlers.test/auth.test.ts— updated test to assert thataccessTokenisNOT present on the session object (previously asserted the opposite).
Follow-up
API routes that currently read
session.accessTokenwill be migrated togetAccessToken()in a follow-up PR. Those routes are all server-side(
src/app/api/) and never reach the browser, so they continue to workcorrectly via the session callback until migrated.
Testing
npm run type-check— 0 errorsnpm run lint— 0 errorsnpm test— auth.ts tests all pass (18/18)