node-mailchimp icon indicating copy to clipboard operation
node-mailchimp copied to clipboard

Published 20 hours ago verified publisher icon thorning

Auth Token gets returned in the Error

Open robinlarondelle opened this issue 4 years ago • 1 comments

When you make a request through this package to the Mailchimp API, and the API returns an error, the Error JSON contains the Basic Auth token. You can extract this token and make requests without knowing the API key.

My question/issue is: Does Mailchimp return the Auth token by itself, or is it included by this package to the error response? If so: why? Including the Auth token in your error response creates a security issue, where your access token can be stolen.

Let me know, thanks ;)

robinlarondelle avatar Sep 03 '20 14:09 robinlarondelle

I think what you refer to is here: https://github.com/thorning/node-mailchimp/blob/master/index.js#L517-L523

The rejected error contains the full response object from request, which could contain data that should not be exposed the the client.

I would be hesitant to change the error content, as much existing error handling depends on it. I would also argue to always be careful when returning raw errors to the client.

I think the best solution would be to have user friendly message on the error, that is safe and useful to send to end users. I will gladly accept a PR for that :)

thorning avatar Sep 04 '20 09:09 thorning