Auth-module: Auth0 Nuxt Security Concerns ( Vuex State)

Created on 19 Jun 2020  路  13Comments  路  Source: nuxt-community/auth-module

Version

v4.9.1

Reproduction link

https://nuxt-auth.herokuapp.com/

Steps to reproduce

Open up console in chrome
Input the following code in console: window.__NUXT__.state.auth.loggedIn = true
It should automatically log you in without you actually logging in by email and password

What is expected ?

It should not let people login if they are not providing email and password on the auth0 login page

What is actually happening?

I can login by just use this code without input my email and passowrd: window.__NUXT__.state.auth.loggedIn = true

After I input that code, I can access to all the secret thing on the page :)

Additional comments?

I am not sure if this is an expected behavior or a known bug. One thing I can surely say that is if people have a little knowledge of programming, they can easily spend a few hours to dig up nuxt code and access to all the secret things :)

Should have set something to prevent users access to the state in console

This bug report is available on Nuxt community (#c599)
picture minyou9
😕1

Most helpful comment

Holy shit it works. How does this happen??

I am not sure that's why I reported on here, but seem like nobody interested in this issue, been 4 days already

picture minyou9 on 23 Jun 2020
👍2

All 13 comments

I've had no luck reproducing the error.

StanleyMasinde picture StanleyMasinde on 22 Jun 2020

I've had no luck reproducing the error.

you should append __ to NUXT keyword both in front and back since the texteditor automatically convert those characters into the bold so it does not display correctly

window.__NUXT__.state.auth.loggedIn = true

Give it a try and you will see the magic :)

minyou9 picture minyou9 on 23 Jun 2020
👍2

Holy shit it works. How does this happen??

alecgerona picture alecgerona on 23 Jun 2020

Holy shit it works. How does this happen??

I am not sure that's why I reported on here, but seem like nobody interested in this issue, been 4 days already

minyou9 picture minyou9 on 23 Jun 2020
👍2

I've had no luck reproducing the error.

you should append __ to NUXT keyword both in front and back since the texteditor automatically convert those characters into the bold so it does not display correctly

window.__NUXT__.state.auth.loggedIn = true

Give it a try and you will see the magic :)

Whooa that's so serious...
I think the team at nuxt is very overwhelmed we can try address these issues if we succeed we create a PR

StanleyMasinde picture StanleyMasinde on 23 Jun 2020

I don't know why they defined nuxt on a window level.

StanleyMasinde picture StanleyMasinde on 23 Jun 2020

I have tried that on my production app and it did not work. I guess it's just a bug in the demo

StanleyMasinde picture StanleyMasinde on 23 Jun 2020

What didn't? The auth state should be visible and mutable, no?

alecgerona picture alecgerona on 23 Jun 2020

What didn't? The auth state should be visible and mutable, no?

The _NUXT_ object is not available. I'm using the dev version

StanleyMasinde picture StanleyMasinde on 23 Jun 2020

What didn't? The auth state should be visible and mutable, no?

The _NUXT_ object is not available. I'm using the dev version

It should be available on the global object. I already tested mine in production __NUXT__
It should be a double dash __ before and after nuxt :)

minyou9 picture minyou9 on 23 Jun 2020

What didn't? The auth state should be visible and mutable, no?

The _NUXT_ object is not available. I'm using the dev version

It should be available on the global object. I already tested mine in production __NUXT__
It should be a double dash __ before and after nuxt :)

image

StanleyMasinde picture StanleyMasinde on 23 Jun 2020

What didn't? The auth state should be visible and mutable, no?

The _NUXT_ object is not available. I'm using the dev version

It should be available on the global object. I already tested mine in production __NUXT__
It should be a double dash __ before and after nuxt :)

image

I am not sure why you don't have __nuxt__ on console, but you could try alternative way here
window.$nuxt.context.$auth.$state.loggedIn = true

$nuxt.context.$auth.$state.loggedIn = true

minyou9 picture minyou9 on 23 Jun 2020

What didn't? The auth state should be visible and mutable, no?

The _NUXT_ object is not available. I'm using the dev version

It should be available on the global object. I already tested mine in production __NUXT__
It should be a double dash __ before and after nuxt :)

image

I am not sure why you don't have __nuxt__ on console, but you could try alternative way here
window.$nuxt.context.$auth.$state.loggedIn = true

$nuxt.context.$auth.$state.loggedIn = true

It is accessible but here is the catch. After login is set to true, The auth module tries to fetch the user and gets a 401. this will automatically log you out. You can fool the client(This is always a risk) it is harder to fool a server.

Make sure your backend security is tight. Always have backend validation and middleware.

StanleyMasinde picture StanleyMasinde on 24 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

eatyrghost picture eatyrghost  路  3Comments
weijinnx picture weijinnx  路  3Comments
DougHayward picture DougHayward  路  4Comments
sebmor picture sebmor  路  3Comments
nikkanetiya picture nikkanetiya  路  3Comments