Skip to content

FIX with-apollo-auth example token access #4771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 12, 2018
Merged

FIX with-apollo-auth example token access #4771

merged 1 commit into from
Sep 12, 2018

Conversation

@zapaiamarce
Copy link
Contributor

@zapaiamarce zapaiamarce commented Jul 12, 2018

in some cases access to the token doesn't work in client side. this access to the token once in getInitialProps method and pass it down using props

timneutkens
timneutkens reviewed Jul 12, 2018
View reviewed changes
examples/with-apollo-auth/lib/withApollo.js
...appProps,
apolloState
apolloState,
token
Copy link
Member

@timneutkens timneutkens Jul 12, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is potentially dangerous as passing down the cookie means you're taking input from the user and returning it to them, which, if Next.js didn't htmlescape the getInitialProps result, would lead to an XSS vulnerability.

To be clear Next.js does htmlescape the getInitialProps result.

Copy link
Contributor Author

@zapaiamarce zapaiamarce Jul 17, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But, do cookies have a similar behavior maybe in a lower level? Cookies travel in the headers to the both ways. Does this represent an XSS vulnerability too?

@timneutkens timneutkens merged commit ae7e532 into vercel:master Sep 12, 2018
@lock lock bot locked as resolved and limited conversation to collaborators Sep 12, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@timneutkens timneutkens timneutkens approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@zapaiamarce @timneutkens