Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Why am I able to consume sensitive API data despite not having token? #235

Open
dosstx opened this issue Jun 29, 2021 · 0 comments
Open

Why am I able to consume sensitive API data despite not having token? #235

dosstx opened this issue Jun 29, 2021 · 0 comments

Comments

@dosstx
Copy link

dosstx commented Jun 29, 2021
edited
Loading

Hello, I am using vue authenticate library and still seem to be pulling secret API data despite manually deleting my token from localstorage in an incognito session in Chrome and Edge.

My expected output is that if I delete the token and have no other browsers open other than incognito browser session, I should not be able to consume sensitive API data.

Here's my setup:

import Vue from 'vue'
import App from './App.vue'
import router from './router'
import VueAxios from 'vue-axios'
import VueAuthenticate from 'vue-authenticate'
import axios from 'axios'

Vue.use(VueAxios, axios)
Vue.use(VueAuthenticate, {
  baseUrl: 'http://localhost:8080',

  providers: {
    abc: {
      name: 'abcName',
      url: '/auth/abc',
      clientId: process.env.VUE_APP_CLIENT_ID,
      redirectUri: 'http://localhost:8080',
      authorizationEndpoint: process.env.VUE_APP_AUTH_ENDPOINT,
      defaultUrlParams: ['response_type', 'client_id', 'redirect_uri'],
      requiredUrlParams: null,
      optionalUrlParams: null,
      scope: null,
      scopePrefix: null,
      scopeDelimiter: null,
      state: null,
      oauthType: '2.0',
      popupOptions: null,
      responseType: 'token',
      responseParams: {
        code: 'token',
        clientId: 'clientId',
        redirectUri: 'redirectUri'
      }
    }
  }
})

new Vue({
  router,
  store,
  render: (h) => h(App)
}).$mount('#app')

I am testing this with a button click event called async getData():

async getData() {
      const token = localStorage.getItem('vue-authenticate.vueauth_token')

      console.log(token)
      try {
        const response = await axios.get(
          'https://abc-api.com/getDataStuff',
          {
            headers: {
              Authorization: `Bearer ${token}`
            },
            withCredentials: true
          }
        )
        console.log('data:', response.data)
}

The above code allows the client to get data....but if I manually copy the https://abc-api.com/getDataStuff link and paste in another incognito browser session, I get permission error 401 (which is what I expected to get above).

I do have my localhost URI whitelisted in my server's SSO config, as well as the backend API's SSO config. I am also using implicit grant type.

Thanks for any light anyone can shed as to why I am able to consume API data despite having, as far as I can tell, no token in my incognito browser session.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dosstx