search

dgrubelic / vue-authenticate

Simple Vue.js authentication library
1.43k stars 252 forks source link

Why am I able to consume sensitive API data despite not having token? #235

Open dosstx opened 3 years ago

dosstx commented 3 years ago

Hello, I am using vue authenticate library and still seem to be pulling secret API data despite manually deleting my token from localstorage in an incognito session in Chrome and Edge.

My expected output is that if I delete the token and have no other browsers open other than incognito browser session, I should not be able to consume sensitive API data.

Here's my setup:

import Vue from 'vue'
import App from './App.vue'
import router from './router'
import VueAxios from 'vue-axios'
import VueAuthenticate from 'vue-authenticate'
import axios from 'axios'

Vue.use(VueAxios, axios)
Vue.use(VueAuthenticate, {
  baseUrl: 'http://localhost:8080',

  providers: {
    abc: {
      name: 'abcName',
      url: '/auth/abc',
      clientId: process.env.VUE_APP_CLIENT_ID,
      redirectUri: 'http://localhost:8080',
      authorizationEndpoint: process.env.VUE_APP_AUTH_ENDPOINT,
      defaultUrlParams: ['response_type', 'client_id', 'redirect_uri'],
      requiredUrlParams: null,
      optionalUrlParams: null,
      scope: null,
      scopePrefix: null,
      scopeDelimiter: null,
      state: null,
      oauthType: '2.0',
      popupOptions: null,
      responseType: 'token',
      responseParams: {
        code: 'token',
        clientId: 'clientId',
        redirectUri: 'redirectUri'
      }
    }
  }
})

new Vue({
  router,
  store,
  render: (h) => h(App)
}).$mount('#app')

I am testing this with a button click event called async getData():

async getData() {
      const token = localStorage.getItem('vue-authenticate.vueauth_token')

      console.log(token)
      try {
        const response = await axios.get(
          'https://abc-api.com/getDataStuff',
          {
            headers: {
              Authorization: `Bearer ${token}`
            },
            withCredentials: true
          }
        )
        console.log('data:', response.data)
}

The above code allows the client to get data....but if I manually copy the https://abc-api.com/getDataStuff link and paste in another incognito browser session, I get permission error 401 (which is what I expected to get above).

I do have my localhost URI whitelisted in my server's SSO config, as well as the backend API's SSO config. I am also using implicit grant type.

Thanks for any light anyone can shed as to why I am able to consume API data despite having, as far as I can tell, no token in my incognito browser session.