Exposed endpoint /api/auth/_logs raise alert in OWASP scan

[jacklimwenjie]

Anyone have any idea what is the purpose of this endpoint and why is it raising alert in OWASP scan?

[balazsorban44]

Seems like a false alarm, it doesn't really make sense:

next-auth/src/server/index.js

Lines 262 to 277 in cb844a2

	case "_log":
	if (userOptions.logger) {
	try {
	const {
	code = "CLIENT_ERROR",
	level = "error",
	message = "[]",
	} = req.body
	logger[level](code, ...JSON.parse(message))
	} catch (error) {
	// If logging itself failed...
	logger.error("LOGGER_ERROR", error)
	}
	}
	return res.end()

https://next-auth.js.org/configuration/options#logger

In short, that endpoint receives logs from the client and forwards them to your logging service, if you define one.

From what I can understand, the endpoint would just crash, because the message in the body is not a valid JSON. Try sending the body in a post to that endpoint to test.

[jacklimwenjie]

I see, that makes sense. Thank you!