Open haruelrovix opened 11 months ago
Someone is attempting to deploy a commit to a Personal Account owned by @mazipan on Vercel.
@mazipan first needs to authorize it.
I don't think the destroy session is necessary in the current flow.
Can you check, how if use previous token after doing logout?
Since we already doing logout from Firebase client side, I assume that the old token can not be verified anymore.
If it's safe, then we can remove the destroy session function completely.
I will help to check from my local.
The latest updates on your projects. Learn more about Vercel for Git βοΈ
Name | Status | Preview | Comments | Updated (UTC) |
---|---|---|---|---|
tanyaaja | β Ready (Inspect) | Visit Preview | π¬ Add feedback | Oct 24, 2023 5:01am |
@mazipan I checked it again and I guess both the master
and this branch still has the Security issue.
Scenario:
Turns out it's bigger topic than I expected. To make it ideal, need to introduce two things:
The approach is like documented here: Revoke refresh tokens
Rules
Revocation sample
Now when we retest common flow above, it will be in ideal state.
{{BASE_URL}}/api/private/question/by-uid/pagination/*** FirebaseAuthError: The Firebase ID token has been revoked.
at /tanyaaja/node_modules/.pnpm/firebase-admin@11.11.0_encoding@0.1.13/node_modules/firebase-admin/lib/auth/base-auth.js:973:27
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async GET (webpack-internal:///(rsc)/./src/app/api/private/question/by-uid/pagination/[uid]/route.ts:22:34)
at async /tanyaaja/node_modules/.pnpm/next@13.5.4_react-dom@18.2.0_react@18.2.0/node_modules/next/dist/compiled/next-server/app-route.runtime.dev.js:6:62361 {
errorInfo: {
code: 'auth/id-token-revoked',
message: 'The Firebase ID token has been revoked.'
},
codePrefix: 'auth'
}
Fixed the issue πͺπ»
HTTP Requests
-------------
GET /api/private/question/by-uid/pagination/*** 500 Internal Server Error
DELETE /api/private/user/session-destroy. 200 OK
GET /api/private/user/by-uuid/*** 200 OK
GET /api/private/question/by-uid/pagination/*** 200 OK
π Ideally, the response should be 401 Unauthorized
instead of 500 Internal Server Error
.
} catch (error: any) {
console.error(request.url, error)
if (error.code === 'auth/id-token-revoked') {
// Token has been revoked. Inform the user to reauthenticate or signOut() the user.
return NextResponse.json(
{ message: 'Session has expired. Please log in again to continue.' },
{ status: 401 },
)
}
return NextResponse.json(
{ message: 'Error while get question by uid' },
{ status: 500 },
)
}
But this will be a huge refactor, let's:
Closes (https://github.com/mazipan/tanyaaja/issues/94)
Description
Tested on Logout β
π I haven't checked the Delete User flow, but I guess we need to Revoke the Refresh token there as well.
References: