useAccessToken allows all refresh tokens as a substitute.

dkantereivin / nest-nuxt-starter

My customized starter project for Nest and Nuxt including config, user authentication, prisma, and common items.

MIT License

1 stars 0 forks source link

useAccessToken allows all refresh tokens as a substitute. #1

Closed wesamjabali closed 2 years ago

wesamjabali commented 2 years ago

The current implementation of useAccessToken allows the user to substitute their Auth header with a refresh token, essentially using it as their access token and bypassing the access tokens' expiration. This means a user can bypass all the security in place for as long as the refresh token lasts.

I recommend you add a check in useAccessToken that it actually is an access token. For example, you can make sure the fingerprint hash does not exist in the decoded token.

dkantereivin commented 2 years ago

This looks legit. Thanks for the tip, will correct asap.