sveltekit-auth-example icon indicating copy to clipboard operation
sveltekit-auth-example copied to clipboard

Published 20 hours ago verified publisher icon danawoodman

Using global writable store for session is insecure and leads to session data leak

Open liborvanek opened this issue 2 years ago • 1 comments

If a store is created in SSR, it will end up being a global store shared by all users. The issue is discussed here: https://github.com/sveltejs/kit/discussions/4339 Docs mention it, but only ambiguously: https://kit.svelte.dev/docs/load#shared-state

How to reproduce

Add a new page /leak/+page.svelte:

<script lang="ts">
	import { session } from "$lib/stores/session";
	$: console.log($session);
</script>

{JSON.stringify($session)}
  • if another user is logged, the $session store leaks the data on SSR request

How to fix

  • temporary solution is to wrap the store using Svelte's context API as suggested in https://github.com/sveltejs/kit/discussions/4339#discussioncomment-2372710

See also

  • https://github.com/sveltejs/kit/issues/7105

liborvanek avatar Oct 02 '22 06:10 liborvanek

Yeah, this approach isn't ideal. I have a re-write that is using lucia-sveltekit but I just haven't had the time to update. I will try and get that updated this week so we don't have this in the example, though a PR is welcome in the meantime. Thanks!

danawoodman avatar Oct 02 '22 17:10 danawoodman