search

vercel / next.js

The React Framework
https://nextjs.org
MIT License
126.75k stars 26.95k forks source link

Docs: Authentication page states encrypted sessions but the examples are signed instead, which is misleading #69413

Open andytson opened 2 months ago

andytson commented 2 months ago

What is the documentation issue?

The documentation at https://github.com/vercel/next.js/blob/canary/docs/02-app/01-building-your-application/09-authentication/index.mdx#2-encrypting-and-decrypting-sessions states encryption of sessions, but the example's session data is not encrypted.

Instead it is signed with a signature, which is good enough for some purposes but is misleading when discussing "encrypted" sessions.

Either this should be renamed and/or a specific encrypted sessions example also to be added (with authentication tags). The latter can be done for example with crypto or crypto.subtle ciphers

Is there any context that might help us understand?

Encrypted sessions would use an encryption of the data (some crypto algorithms support verification as well, but some don't), hiding the data from the user, whereas signed sessions allow verification of tampering only.

Does the docs page already exist? Please link to it.

https://nextjs.org/docs/app/building-your-application/authentication

samcx commented 1 month ago

@andytson Not a security expert myself—is there an example you could provide to showcases an encrypted session?

A :pr: is welcome as well!