Update middleware combination example to prevent unintended backend execution#2076
Merged
tusharpandey13 merged 11 commits intomainfrom May 13, 2025
Merged
Update middleware combination example to prevent unintended backend execution#2076tusharpandey13 merged 11 commits intomainfrom
tusharpandey13 merged 11 commits intomainfrom
Conversation
tusharpandey13
changed the title
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2076 +/- ##
=======================================
Coverage 82.25% 82.25%
=======================================
Files 21 21
Lines 1989 1989
Branches 348 348
=======================================
Hits 1636 1636
Misses 347 347
Partials 6 6 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
frederikprijck
previously requested changes
May 12, 2025
Member
frederikprijck
left a comment
frederikprijck
left a comment
There was a problem hiding this comment.
Can we add some links to the explaination of this behavior in Next.js, both in the PR and EXAMPLES.md?
nandan-bhat
previously approved these changes
May 13, 2025
Merge branch 'feature/combining-middleware-doc' of https://github.com/auth0/nextjs-auth0 into feature/combining-middleware-doc
nandan-bhat
approved these changes
May 13, 2025
tusharpandey13
dismissed
frederikprijck’s stale review
no external references exist for this vuln.
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
The existing documentation example in EXAMPLES.md for combining middleware advised copying all headers from the auth0.middleware response (authResponse) to the final response. This includes the x-middleware-next header, which Next.js uses as a signal to always forward the request to the backend application, regardless of the middleware's response status (e.g., 401 Unauthorized).
This behavior leads to a vulnerability where even if custom middleware logic correctly identifies an unauthenticated user and attempts to block the request with a 401 response, the presence of the copied x-middleware-next header causes Next.js to still execute the backend route handler. This could expose page data or allow unintended execution of backend logic for unauthenticated users.
Changes
This PR updates the EXAMPLES.md file to mitigate this issue:
Added a warning block and code sample.