https://community.spotify.com/t5/Spotify-for-Developers/Possible-security-bug-in-the-web-api-auth-example-from-gitbub/m-p/5103067#M1814 <DIV><DIV class=""><DIV class=""><SPAN>I've cloned the code from: </SPAN><SPAN><A href="https://github.com/spotify/web-api-auth-examples" target="_blank" rel="noopener">https://github.com/spotify/web-api-auth-examples</A></SPAN><SPAN> and possibly found some security bug - but please correct me and explain why I'm wrong if that is the case.</SPAN></DIV></DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV><P>State is set in /login route to</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"> var state = generateRandomString(16); res.cookie(stateKey, state);</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>And then updated and checked in /callback route with</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript"> var state = req.query.state || null; var storedState = req.cookies ? req.cookies[stateKey] : null if (state === null || state !== storedState) {</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>As "state" is overwritten with the users incoming query.state, wouldn't that mean that if a users traffic was interrupted by a malicious user, they could just use whatever string they wanted in their query, as long as it corresponded to their cookie and overtake the connection? Why do you overwrite the state variable at all? Shouldn't it be kept the same as when assigned in the /login route and then used as a basis for comparison and security?</P><P>&nbsp;</P> Sun, 03 Jan 2021 15:16:08 GMT alexlindgren 2021-01-03T15:16:08Z https://community.spotify.com/t5/Spotify-for-Developers/Possible-security-bug-in-the-web-api-auth-example-from-gitbub/m-p/5103067#M1814 <DIV><DIV class=""><DIV class=""><SPAN>I've cloned the code from: </SPAN><SPAN><A href="https://github.com/spotify/web-api-auth-examples" target="_blank" rel="noopener">https://github.com/spotify/web-api-auth-examples</A></SPAN><SPAN> and possibly found some security bug - but please correct me and explain why I'm wrong if that is the case.</SPAN></DIV></DIV><DIV class=""><DIV class="">&nbsp;</DIV></DIV></DIV><P>State is set in /login route to</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup"> var state = generateRandomString(16); res.cookie(stateKey, state);</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>And then updated and checked in /callback route with</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="javascript"> var state = req.query.state || null; var storedState = req.cookies ? req.cookies[stateKey] : null if (state === null || state !== storedState) {</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>As "state" is overwritten with the users incoming query.state, wouldn't that mean that if a users traffic was interrupted by a malicious user, they could just use whatever string they wanted in their query, as long as it corresponded to their cookie and overtake the connection? Why do you overwrite the state variable at all? Shouldn't it be kept the same as when assigned in the /login route and then used as a basis for comparison and security?</P><P>&nbsp;</P> Sun, 03 Jan 2021 15:16:08 GMT https://community.spotify.com/t5/Spotify-for-Developers/Possible-security-bug-in-the-web-api-auth-example-from-gitbub/m-p/5103067#M1814 alexlindgren 2021-01-03T15:16:08Z