Description:
A HIGH security vulnerability exists in backend/server.js at lines 20–24 and backend/routes/auth.js at lines 29 and 44. The express-session configuration does not set secure: true or sameSite: 'strict' on the session cookie, and two error handlers return raw err.message values exposing MongoDB internals to clients.
Impact:
- Session hijacking over HTTP: Without
secure: true, the session cookie (connect.sid) is transmitted in plaintext over HTTP. Any network observer — shared Wi-Fi, ISP, transparent proxy — can capture it and replay it to impersonate a logged-in user.
- CSRF on state-changing endpoints: Without
sameSite: 'strict', a third-party page can embed a cross-site GET request to /api/auth/logout and force-logout any user who visits it. As the app grows and adds more authenticated POST/PUT/DELETE endpoints, all of them are exposed to cross-site request forgery.
- Internal information disclosure: The 500 error handler returns
{ "message": "Error creating user", "error": err.message }. A trigger-able error (e.g., a duplicate key violation) leaks the MongoDB collection name, index names, and key values: E11000 duplicate key error collection: githubTracker.users index: email_1 dup key: { email: "..." }. This fingerprints the database and narrows the surface for further attacks.
Steps to Reproduce:
- Register a user, then trigger a duplicate-key 500 by sending a malformed but valid-schema payload that hits a Mongo error → response body contains raw MongoDB error string including collection and index names.
- Inspect the
Set-Cookie response header after login — the cookie lacks the Secure attribute, meaning it will be sent over plain HTTP connections.
- From a page on another origin, load an
<img src="http://localhost:5000/api/auth/logout"> — the GET logout fires cross-site (SameSite=Lax allows cross-site GETs for top-level navigations).
Expected Behaviour:
- Session cookie must carry
Secure, HttpOnly, and SameSite=Strict attributes.
- 500 error responses must never include
err.message or any internal stack/query details — return a generic message only.
Proposed Fix:
// server.js — harden session cookie
app.use(session({
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'strict',
maxAge: 24 * 60 * 60 * 1000,
},
}));// routes/auth.js line 29 — strip internal error
res.status(500).json({ message: 'Error creating user' });
// routes/auth.js line 44 — strip internal error
return res.status(500).json({ message: 'Logout failed' });Labels: type:bug level:intermediate gssoc:approved gssoc26
Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.
Description:
A HIGH security vulnerability exists in
backend/server.jsat lines 20–24 andbackend/routes/auth.jsat lines 29 and 44. The express-session configuration does not setsecure: trueorsameSite: 'strict'on the session cookie, and two error handlers return rawerr.messagevalues exposing MongoDB internals to clients.Impact:
secure: true, the session cookie (connect.sid) is transmitted in plaintext over HTTP. Any network observer — shared Wi-Fi, ISP, transparent proxy — can capture it and replay it to impersonate a logged-in user.sameSite: 'strict', a third-party page can embed a cross-site GET request to/api/auth/logoutand force-logout any user who visits it. As the app grows and adds more authenticated POST/PUT/DELETE endpoints, all of them are exposed to cross-site request forgery.{ "message": "Error creating user", "error": err.message }. A trigger-able error (e.g., a duplicate key violation) leaks the MongoDB collection name, index names, and key values:E11000 duplicate key error collection: githubTracker.users index: email_1 dup key: { email: "..." }. This fingerprints the database and narrows the surface for further attacks.Steps to Reproduce:
Set-Cookieresponse header after login — the cookie lacks theSecureattribute, meaning it will be sent over plain HTTP connections.<img src="http://localhost:5000/api/auth/logout">— the GET logout fires cross-site (SameSite=Lax allows cross-site GETs for top-level navigations).Expected Behaviour:
Secure,HttpOnly, andSameSite=Strictattributes.err.messageor any internal stack/query details — return a generic message only.Proposed Fix:
Labels:
type:buglevel:intermediategssoc:approvedgssoc26Please assign this issue to me under GSSoC 2026. I will open a PR with a complete fix covering all affected files, proper test coverage, and verification steps.