re: Your thoughts on Creating a New User VIEW POST

TOP OF THREAD FULL DISCUSSION
re: Yes, I think caution is reasonable here. I hope to learn always from other developer approaches and patterns. Mostly, I care about why. :)
 

Regarding the dangers of redirects, I think Ben is talking about open redirects, where your taking the URL or part of it from user input. If you don't validate this, an attacker can create a link that looks like a link to your site, but that actually takes the user to another site.

For example, it's very common to redirect users back to the page they were viewing when they logged in.

Let's say a user visits

yoursite.io/private

which requires login, so you redirect them to

yoursite.io/login*?next=/private*

After logging in, you take that next parameter from the URL and redirect them there.

If you're not careful to validate that that parameter starts with a single slash (which indicates that it is a path within your site), an attacker could give someone a link to

yoursite.io/login*?next=evil.com*

which causes your server to redirect the user to http://evil.com

Thanks for the description of this, Frederik! That is good to protect against. I think I've covered this risk, but I should verify.

How I handle that next url: in the auth middleware, if the check fails, I store the path of the request in the session before redirecting to login. Then, in the login handler, retrieve the path from the session and redirect. That way, we're guaranteed that the path is on our site AND it can't be modified.

Nice. Thanks for sharing your approach. I have seen devs (in videos) have a catchall route for any route that doesn't match something on the server or client -> if any route is passed to domain.com/someroute that doesn't match an explicit route just goes to domain.com/ - but catching it in the next would ensure that they go to the right place and not just back to the homepage.

code of conduct - report abuse