Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Users objects created even when calling site not in trusted domain #252

Open
LukeeRBLX opened this issue Sep 15, 2024 · 2 comments
Open

Comments

@LukeeRBLX
Copy link
Contributor

Hi,

I have come across an issue where user objects are still allowed to be created inside of a project that has its requested header coming from a non trusted domain.

This happens on both Production and Non production methods.

NextJS site has the correct ENV variables set up but I have not yet listed this as a trusted domain.
(This is a published site on vercel and not a localhost)

When going to my setup flow on my website, I enter an email address and submit, I receive my error that I am not apart of the trusted domains but the user object is still created within my project. I am unsure if this functionality is intended but incase of secret keys being hijacked, this is something I wouldnt want to happen outside of my enlisted sites.

image

image

Magic links gives me an error, still allowing a user object to be created.

Whilst credentials (email & password) allow me to create a user and login

image

Please try and replicate to get same behavior.

This is running a very clean nextjs project using the default components with no edits to source code.

@fomalhautb
Copy link
Contributor

fomalhautb commented Sep 15, 2024

Just to be clear, this is not the ideal user experience, but it is also not a security risk.

The trusted domain is used for redirect URLs like magic link email and OAuth provider callbacks, where the server needs to call an endpoint with sensitive information. Signing up/in itself is an action that can be done from any domain (because it is just an API call).

The reason for a created user but a "redirect URL" error is that the endpoint first creates the user, and then tries to validate the email redirect URL (which in your case is a not allowed domain), so it refuses to send the email and returns an error.

We will try to validate the redirect URL before the user is created so it creates a more consistent developer experience, but no need to worry about security here.

@DarshanChandegara
Copy link

Heyy @LukeeRBLX , i would like to work on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants