search

thirdweb-dev / js

Best in class web3 SDKs for Browser, Node and Mobile apps
https://thirdweb.com
Apache License 2.0
428 stars 324 forks source link

@thirdweb-dev/auth API vulnerability #472

Closed jaschahuisman closed 1 year ago

jaschahuisman commented 1 year ago

Issue

When sending a blank GET request to /api/auth/login using @thirdweb/auth in Next.js (and Express.js as well) the whole server crashes because of an unexpected token in this line of code.

This might be a vulnerability because this is a way to crash the whole backend with one single request.

Also to mention that the atob method used here is deprecated.

const payload = JSON.parse(atob(req.query.payload as string)) as LoginPayload;

The error

error - node_modules/@thirdweb-dev/auth/next/evm/dist/thirdweb-dev-auth-next-evm.esm.js (20:0) @ handler$2
error - SyntaxError: Unexpected token º in JSON at position 0
    at JSON.parse (<anonymous>)

Possible solutions

  1. Replace the deprecated atob method with the modern Buffer.from method.
  2. Handle the case where the req.query.payload is null or undefined.
  3. Catch server errors in the whole route handler.
gtandes commented 1 year ago

Good day ser. I'm trying to code along the token-gated NFT tutorial by Thirdweb in this article:

https://blog.thirdweb.com/guides/nft-gated-website/

However, during installation of the Auth SDK, I get an error about NextJS13 conflict. I tried using legacy-peer-deps, however after installation, no data could be pulled from ThirdWebAuth. Might you know what's the issue here?

image