quanhua92 / next-auth-ioredis-adapter-example Goto Github PK

Hi, I recently discovered this adapter for Redis, which I found really great and easy to implement.
So, first of all, I want to thank you for your job :)

But, I found a really important vulnerability issue in verification-token based authentications (Email authentications).
Basically, I've seen that your useVerificationToken function simply checks if there is a verification token with the specified email, but it doesn't check if the token is valid or not.

This means that, for example, the user [email protected] can request an email to sign in, and a verification link will be sent in his mailbox. Everything, for now, it's Ok.
But then a potential hacker who knows that [email protected] is trying to authenticate, can simply access to his profile with a random token, because in the adapter there is not a token validation. So, the hacker can go to this URL:

http://localhost:3000/api/auth/callback/email?callbackUrl=http://localhost:3000&token=INVALID_RANDOM_TOKEN&[email protected]

And he will be successfully authenticated!

I resolved this issue by modifying the useVerificationToken function like this:

async useVerificationToken(verificationToken) {
    const id = verificationToken.identifier;
    const token = await getVerificationToken(id);
    if (!token || verificationToken.token !== token.token)
      return null;
    await deleteVerificationToken(id);
    return token;
 },

Hope this helps! 👍🏻

Great Job with the adapter anyway! 🥳

Hi,

Thanks for your great work.

When I try your library, I just copy and paste your example, everything is setup same as your code, but then it keeps on showing the login page:

Click the login button it just refresh the page and show again.

My environment:

• node: v16.18.0
• next: 13.2.4
• next-auth: 4.20.1
• ioredis: 5.3.1