Announcements

Possible security bug in the web api auth example from gitbub

Reply

Possible security bug in the web api auth example from gitbub

alexlindgren
Music Fan
I've cloned the code from: https://github.com/spotify/web-api-auth-examples and possibly found some security bug - but please correct me and explain why I'm wrong if that is the case.
 

State is set in /login route to

 

 

  var state = generateRandomString(16);
  res.cookie(stateKey, state);

 

 

And then updated and checked in /callback route with

 

 

  var state = req.query.state || null;
  var storedState = req.cookies ? req.cookies[stateKey] : null
  if (state === null || state !== storedState) {

 

 

As "state" is overwritten with the users incoming query.state, wouldn't that mean that if a users traffic was interrupted by a malicious user, they could just use whatever string they wanted in their query, as long as it corresponded to their cookie and overtake the connection? Why do you overwrite the state variable at all? Shouldn't it be kept the same as when assigned in the /login route and then used as a basis for comparison and security?

 

SUGGESTED POSTS