I think, this exposes "secret" key to client's browser. Doesn't it?

Question

I think, this exposes "secret" key to client's browser. Doesn't it?

dhavall08 opened this issue 4 years ago · 3 comments

I was looking for implementing csrf for nextjs and I came here from the npm module.

Doc usage says:

import App from 'next/app'
import { csrfToken } from '../lib/csrf';

function MyApp({ Component, pageProps }) {
return <Component {...pageProps, csrfToken} />
}

In my opinion, we shouldn't generate the CSRF token client side. Here, as you see in above, the CSRF token is generated client side. I think, this may expose the used "secret" key to the client's browser (as it is generated client side) and so once attacker get the access of "secret" key then multiple CSRF tokens can be generated.

Please correct me if I am wrong.

Answer 1 · 2020-10-28T15:48:09.000Z

My idea of the implementation was to generate the csrf token when a user visits the page. We don't expose the secret to the client, but the token that we need to implement csrf mitigation.

However, this might not be possible when doing SSG. So, I'm revisiting the implementation again and I have a PR ready to merge soon.

Answer 2 · 2020-11-25T05:08:35.000Z

I'm revisiting the implementation again and I have a PR ready to merge soon.

@j0lv3r4 I see the PR is in Draft status. Is there someone we can do to help get it merged?

Answer 3 · 2021-05-17T03:58:59.000Z

I tried with this PR, and it worked!