Hi, I recently discovered this adapter for Redis, which I found really great and easy to implement.
So, first of all, I want to thank you for your job :)
But, I found a really important vulnerability issue in verification-token based authentications (Email authentications).
Basically, I've seen that your useVerificationToken
function simply checks if there is a verification token with the specified email, but it doesn't check if the token is valid or not.
This means that, for example, the user [email protected]
can request an email to sign in, and a verification link will be sent in his mailbox. Everything, for now, it's Ok.
But then a potential hacker who knows that [email protected]
is trying to authenticate, can simply access to his profile with a random token, because in the adapter there is not a token validation. So, the hacker can go to this URL:
http://localhost:3000/api/auth/callback/email?callbackUrl=http://localhost:3000&token=INVALID_RANDOM_TOKEN&[email protected]
And he will be successfully authenticated!
I resolved this issue by modifying the useVerificationToken
function like this:
async useVerificationToken(verificationToken) {
const id = verificationToken.identifier;
const token = await getVerificationToken(id);
if (!token || verificationToken.token !== token.token)
return null;
await deleteVerificationToken(id);
return token;
},
Hope this helps! ๐๐ป
Great Job with the adapter anyway! ๐ฅณ