从Next-Auth会话回调中调用数据库信息是否安全。

huangapple go评论71阅读模式
英文:

Is it safe calling database information from Next-Auth session callback

问题

Here is the translated code portion:

 callbacks: {
        async session({ session, token, user }) {
          // Send properties to the client, like an access_token and user id from a provider.
          const getUserEmail = session.user.email;
          const userData = await User.findOne({ email: getUserEmail }).select('-password');
          session.user = userData;
          return session;
        }

As for your question about the safety of this approach, it appears that this code is responsible for customizing the user session data obtained through Next-Auth CredentialsProvider. It fetches user information from MongoDB based on the email address and excludes the password.

In terms of security, this approach seems reasonable as long as you have proper authentication and authorization mechanisms in place. However, it's important to ensure that the MongoDB query is secure and properly validated to prevent any potential security vulnerabilities like SQL injection.

Regarding your consideration of including more user profile information (name, image, etc.) in the session, it's generally a good practice to only store essential information in the session. You can retrieve additional user profile data when needed from the database or another secure source rather than storing it all in the session, which can reduce the risk of exposing sensitive data.

If you have specific security concerns or need more detailed advice, it's recommended to consult with a security expert or conduct a thorough security review of your codebase.

英文:
 callbacks: {
    async session({ session, token, user }) {
      // Send properties to the client, like an access_token and user id from a provider.
     const getUserEmail = session.user.email;
      const userData = await User.findOne({ email: getUserEmail }).select('-password');
      session.user = userData
      return session
    }

I have this code from Next-Auth CredentialsProvider provider, is this approach safe to apply? Because session information only contains email but nothing else. I should have take all the mongodb information to use users profile, name, image etc. What do you say?

答案1

得分: 1

在安全领域,你必须亲自编写代码。使用像Next-Auth这样存在许多问题的库是不安全的。

编写一个库以实现安全的身份验证非常简单。你只需使用JWT并拥有安全的JWT-SECRET-KEY。就是这样!

我编写了一些有用的库,以在Next.js中实现安全的身份验证:

  1. 使用签名和解码JWT:jsonwebtoken

  2. 在客户端解码会话(JWT)而无需使用秘钥。这将帮助您在客户端安全地解码,因为您不传递秘钥。您可以仅用于像配置文件名之类的简单内容。jwt-decode

  3. 在Linux中创建安全的JWT-SECRET-KEY,请在终端中使用此代码:

    openssl rand -base64 60

  4. 将令牌保存为cookie,请使用这些库。我尝试了许多库,但它们不能正常工作:(推荐)-> cookies-next,如果你不喜欢它,可以使用 nookies

  5. (可选):如果您想将JWT会话保存在数据库中,这是不必要的,如果您的秘钥是安全的,您可以使用这个ORM:Prisma

英文:

In security, you must make yourself code. Using other libs like Next-Auth that has many problems is NOT safe.

Making a lib to have a secure auth is so easy. You just work with JWT and have a secure JWT-SECRET-KEY. That is all!

I write useful libs to make a secure auth in nextjs:

  1. To use sign and decode JWT: jsonwebtoken
  2. To decode session (JWT) in client without using secret key. This will help you to decode safely in client. Because you not pass secret key. You can use this option just for something easy like profile name and so. jwt-decode
  3. To make secure JWT-SECRET-KEY in Linux use this code in terminal:

openssl rand -base64 60

  1. To save the token as cookie use these libs. I used many libs but they not work correctly: (Recommended) -> cookies-next and if you don't like it use nookies
  2. (Optional): And if you want to save the JWT session in DB that is NOT necessary if your secret-key is secure, you can use this ORM: Prisma

huangapple
  • 本文由 发表于 2023年5月22日 20:14:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/76306093.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定