undefined | Better HN

0 pointsbdangubic1y ago0 comments

expect you know, when you can bypass auth by adding an http header :)

0 comments

Not that this isn't a serious attack vector (a possible one), but most implementations are not simply using middleware as a standalone check for authorization then blindly serving paths/content up.

That'd be pretty bad architecture in any stack.

apsurd1y ago

so having "some protections" like db foreign key scoping that mitigates "well anyone can now bypass auth middleware for any route" makes this…

"not that bad on nextjs part"

no no, this is absolutely nuts.

whoknowsidont1y ago

Some of you are ready for an argument, you responded to my post yet seemingly missed the very first sentence fragment:

>Not that this isn't a serious attack vector

At no point did I say or imply what you put in quotes.

arandomusername1y ago

I disagree. Why pollute every function with code checking for auth if you can just do it in a middleware?

jonny_eh1y ago

The middleware should fetch auth, not check it. Each page should check the auth provided by the middleware. Skipping middleware wouldn't bypass anything in this case.

1 more reply

whoknowsidont1y ago

You don't do it everywhere. You do it in the source system. The Next.JS application should just be doing "sanity" checks and passing along identity information at most. That belongs in the middleware layer, but it's not authoritative.

If bypassing a middleware layer is the one "trust me bro" check you have in your web app, then lol.

That's actually really hilarious and you should tell me what company/website that's for so I can submit some bug bounties.

1 more reply

bdangubicOP1y ago

you probably need to re-define “most” :)

j / k navigate · click thread line to collapse

0 comments

whoknowsidont1y ago

Not that this isn't a serious attack vector (a possible one), but most implementations are not simply using middleware as a standalone check for authorization then blindly serving paths/content up.

That'd be pretty bad architecture in any stack.

apsurd1y ago

so having "some protections" like db foreign key scoping that mitigates "well anyone can now bypass auth middleware for any route" makes this…

"not that bad on nextjs part"

no no, this is absolutely nuts.

whoknowsidont1y ago

Some of you are ready for an argument, you responded to my post yet seemingly missed the very first sentence fragment:

>Not that this isn't a serious attack vector

At no point did I say or imply what you put in quotes.

arandomusername1y ago

I disagree. Why pollute every function with code checking for auth if you can just do it in a middleware?

jonny_eh1y ago

The middleware should fetch auth, not check it. Each page should check the auth provided by the middleware. Skipping middleware wouldn't bypass anything in this case.

1 more reply

whoknowsidont1y ago

If bypassing a middleware layer is the one "trust me bro" check you have in your web app, then lol.

That's actually really hilarious and you should tell me what company/website that's for so I can submit some bug bounties.

1 more reply

bdangubicOP1y ago

you probably need to re-define “most” :)

j / k navigate · click thread line to collapse