Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Rule: Require reference to sessionToken cookie in API route handlers #20

Open
karlhorky opened this issue Nov 27, 2021 · 0 comments
Open

New Rule: Require reference to sessionToken cookie in API route handlers #20

karlhorky opened this issue Nov 27, 2021 · 0 comments
Assignees
@karlhorky

Comments

@karlhorky
Copy link
Member

karlhorky commented Nov 27, 2021
edited
Loading

A very common security problem in student projects is not referencing the sessionToken cookie within an API route (leaving it unprotected and open to anyone who wants to hit the API endpoint with Postman or a script or similar)

We should check all API route handlers that the user writes (the default export in all files in the pages/api folder - check out the no-document-import-in-page rule for implementation hints), to make sure that they are referring to sessionToken somewhere

Students can "opt out" of this behavior by writing unprotected at the start of the function name (so they do this while being aware of it) eg. unprotectedUsersHandler
This was referenced Dec 9, 2021
Closed
Closed
Closed
@upleveled upleveled deleted a comment from Josehower Dec 9, 2021
@karlhorky karlhorky changed the title New Rule: Require reference of sessionToken cookie in API route handler functions (unless function name prefixed with "unprotected") New Rule: Require reference to sessionToken cookie in API route handlers Jan 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@karlhorky karlhorky

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karlhorky @Josehower