j0lv3r4 / next-authentication Goto Github PK

The old API relied on getInitialProps and a HOC component. The new API works with API routes and getServerSideProps so the documentation needs updates.

Is it possible to create an example using an external api instead of next api routes? With external API I mean a regular nodejs api running in another port but in the same domain, it can be using passport or anything simple, I just want to see how the communication would be like.

By the way, good job with the project ❤️ Keep it up the good work.

We can't access Router directly from next/router so we should use instead a callback function so the user can handle the redirection or whatever they want to do afterwards

The goal is to provide helpers that minimize the boilerplate to write on Next.js apps.

next-authentication assumes that all cookies aren't httponly and this might cause conflicts.

For example, I'm working on a lambda function that only does OAuth and 302 redirects back to the web app with cookies in the headers, so that the Next.js app can grab on the first load. So the library I'm using sets the cookie setting httponly true by default and I think that's okay.

So instead of changing that security setting to false I'd like to figure out to handle this in the Frontend. It might not be possible, but I'll do some research first before adding any warning or so to the library.

To set up the implementation we use the csrf library. The same that the csurf middleware uses for Express.

How csrf works

csrf helps to mitigate CSRF by first creating two tokens:

• CSRF secret: A Cryptographically secure CSRF token, supposedly known by the server only, i.e., <secret>
• CSRF token: A hash of the secret, the actual token, plus a salt, i.e., <salt>;<token>

Then, csrf validates the token by doing <secret>+<salt>=<token>.

How to mitigate CSRF in Next.js using csrf

CSRF mitigation should happen when a Next.js application sends a state-changing request (POST, PUT, PATCH, and DELETE) to a protected API route.

The mitigation works by:

• Creating a secret that only the server knows and the user will use for the entire session
• Creating a token with the secret and a salt. The token is signed as well.
• On every request, the Next.js application must send the token in a custom request header and a cookie
• The server validates the tokens by:
  • Validating the signatures
  • Checking that the token of the custom header and the cookie is the same (Double-submit cookie pattern)
  • Validating the token using csrf
• If the validation succeeds then we generate a new token.

On every request to an API route, the server validates the token with the secret saved in memory. Every time the user lands on the Next.js app a secret and a token will be generated.

References:

• Understanding CSRF
• OWASP Cheat Sheet Series Cross-Site Request Forgery Prevention
• Double Submit Cookie

The goal is to implement a middleware that will delete a cookie session and redirect the user in case of an invalid or missing token in the headers, e.g.,

export default auth((req, res) => {
  res.end('ok');
});

Examples:

• https://github.com/zeit/next.js/tree/canary/examples/api-routes-middleware
• https://github.com/zeit/next.js/tree/canary/examples/with-passport-and-next-connect

Probably an example using Objection.js and SQLite so people can run it locally.

Right now the documentation only explains the API. I'd like to expand on reasons why middlewares work like that and more examples.

Adding expiration date (exp) in the JWT it would be useful if there's a way to check the validity of the token before each request. Same with a server check of token validation.