jns.eth @jnsdls - Twitter Profile

jns.eth @jnsdls

about 1 year ago

In Japan

Matt Gallagher

@MattP1Gallagher

about 1 year ago

Where does Yuki Tsunoda qualify for the Japanese GP?

2K

8K

61

54

575K

1

4

0

300

jns.eth @jnsdls

about 1 year ago

@theo Yep, dealt with this before

0

20

jns.eth @jnsdls

over 1 year ago

@yangyou … in the US I assume?

0

34

jns.eth @jnsdls

over 1 year ago

@typeofalex @krall12 @sunneydev @myothercoolname @theo If you feel this strongly about the docs you can go and propose a change, they are open source for a reason. Could the docs be more nuanced? Of course. Should you auth at the resource level? Also of course.

1

0

43

Who to follow

Lore Maxi 🂱🃁 @shufflecom @shuffleusa

jake barrick

@BarrickJake

I like to have fun & meet new people

jns.eth @jnsdls

over 1 year ago

@typeofalex @krall12 @sunneydev @myothercoolname @theo This actually has nothing to do with next at all and is just… basic. What follows from it however is that middleware can be used to shortcut clear NEGATIVE (expected auth token to exist, but it doesn’t exist) cases in order to avoid downstream work, but for auth that’s all.

2

0

154

jns.eth @jnsdls

over 1 year ago

@typeofalex @krall12 @sunneydev @myothercoolname @theo I’m saying that any downstream resource has to verify auth again. You cannot just auth once and then absolve yourself from there on out. The place where sensitive data is read or any data is written is the place that HAS to do auth.

1

0

186

jns.eth @jnsdls

over 1 year ago

@krall12 @sunneydev @myothercoolname @theo @typeofalex And if you don’t do that, well then you’re saying anybody can (without any auth) just access any downstream resource, which by definition would be insecure. (All they would need for this is to discover which resources you call in your app, which generally is trivial.)

0

16

jns.eth @jnsdls

over 1 year ago

@krall12 @sunneydev @myothercoolname @theo @typeofalex Say for example you protect some admin page with middleware. Say that calls another resource that modifies (or even reads) DB state. That other resource HAS to verify the auth again. (Auth token may literally have just expired in the meantime for a basic reason.)

1

0

23

jns.eth @jnsdls

over 1 year ago

@typeofalex @krall12 @sunneydev @myothercoolname @theo If the only thing you’re accessing after middleware is a static page then middleware might be fine. However if the page after middleware DOES anything on behalf of the auth’d user then that HAS to be auth’d again.

1

0

244

jns.eth @jnsdls

over 1 year ago

@krall12 @sunneydev @myothercoolname @theo @typeofalex It is objectively insecure to not check auth as part of later calls that you make after the initial routing is complete. Middleware in next JS is not express, never has been. You can (and should) shortcut un-authed requests in middleware, but that’s it.

3

2

0

2K

jns.eth @jnsdls

over 1 year ago

@krall12 @sunneydev @myothercoolname @theo @typeofalex If they are affected they had built their sites in an insecure way to begin with. Locating the source of truth for auth in middleware instead of with the APIs that need to know about the auth state would have always been insecure, regardless of this CVE.

2

4

0

2

3K