You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
@@ -156,6 +156,6 @@ If you'd like to see the exploit in action, I have a [reproduction](https://gith
## Closing thoughts
Clerk has fixed this issue by passing the validated token alongside `AuhStatus` in the header, and parsing that token instead. They have also worked with hosting providers to prevent
Clerk has fixed this issue by passing the validated token alongside `AuhStatus` in the header, and parsing that token instead. They have also worked with hosting providers to prevent.
This vulnerability was only found in the Next.js integration and it's obvious why. Middleware in Next.js isn't comparable to middleware in other frameworks and libraries, and Vercel should stop pretending it is. It's just the wrong place to handle auth.
I do think this was preventable - don't use middleware at all. Next.js middleware is just not the place to handle auth. I don't like protecting routes with middleware in general, but Next.js comes with a big downside where you can't share data between middleware and route handlers directly. Clerk's attempt to go around that issue is what exactly caused the vulnerability.
