Closed RobinMaas95 closed 1 year ago
Thanks so much for the detailed write up! When I originally wrote the +hooks.server.ts, it didn't really sit right that it was the best way to handle the protection. I had actually seen that github post you mentioned in the past when working on a custom auth system and forgot to consider it when using lucia auth in this project. I was following their recommendations for how to protect the route.
You are completely right and thanks for the example and recommended corrections! I will approve the pull request but I will remove the example exploit code you added. Thanks so much!
tldr: #6 should fix this issue
I'm not sure if this is a security concern because - at least from what I can see - the loaded data are not returned to the client-side so they are safe, but at least it opens the door for kind of unnecessary data loads and potential load on your internal systems or costs for usage of external apis.
From my understanding it's the kinda the issue that is discussed in this issue. The problem is, that all load functions run in parallel. So at long as you keep se simple structure of the current
protected
route, everything is fine.But when you add an
+page.server.ts
file inside of theprotected
route where you access some external data sources in theload
function, this access run in parallel to theload
function inside of+layout.server.ts
. In the end the data are not returned to the client (at least I didn't found them client side) because the auth check prevents the user from accessing the+page.svelte
file where the loaded data are passed into via prop. But the fetch call still happens (which can be annoying in case of system load or costly in case of external apis with usage fees per call).To have an example of the issue, you simple can add the file
src/routes/protected/+page.server.ts
with the following code (simple fetch and a log message we can see on the server side):To see the date in case of an authorised user, you also can change
src/routes/protected/+page.svelte
so that you acceptPageData
inside the script block:and display them in the body:
With this in place, data are loaded as soon as you hover over the
Protected
link inside of the menu. You can see the log "Fetched customers from database" (server side). This gif shows the behaviour:To fix this problem, we can move the redirects from the
layout.svelte.ts
inside of theprotected
route intohooks.server.ts
. See #6 for the implementation details.