-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New Rule: Require reference to sessionToken
cookie in API route handlers
#20
Comments
This was referenced Dec 9, 2021
karlhorky
changed the title
New Rule: Require reference of
New Rule: Require reference to Jan 19, 2022
sessionToken
cookie in API route handler functions (unless function name prefixed with "unprotected")sessionToken
cookie in API route handlers
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A very common security problem in student projects is not referencing the
sessionToken
cookie within an API route (leaving it unprotected and open to anyone who wants to hit the API endpoint with Postman or a script or similar)We should check all API route handlers that the user writes (the default export in all files in the
pages/api
folder - check out theno-document-import-in-page
rule for implementation hints), to make sure that they are referring to sessionToken somewhereStudents can "opt out" of this behavior by writing
unprotected
at the start of the function name (so they do this while being aware of it) eg.unprotectedUsersHandler
The text was updated successfully, but these errors were encountered: