@thirdweb-dev/auth API vulnerability

[jaschahuisman]

Issue

When sending a blank GET request to /api/auth/login using @thirdweb/auth in Next.js (and Express.js as well) the whole server crashes because of an unexpected token in this line of code.

This might be a vulnerability because this is a way to crash the whole backend with one single request.

Also to mention that the atob method used here is deprecated.

const payload = JSON.parse(atob(req.query.payload as string)) as LoginPayload;

The error

error - node_modules/@thirdweb-dev/auth/next/evm/dist/thirdweb-dev-auth-next-evm.esm.js (20:0) @ handler$2
error - SyntaxError: Unexpected token º in JSON at position 0
    at JSON.parse (<anonymous>)

Possible solutions

1. Replace the deprecated atob method with the modern Buffer.from method.
2. Handle the case where the req.query.payload is null or undefined.
3. Catch server errors in the whole route handler.

[gtandes]

Good day ser. I'm trying to code along the token-gated NFT tutorial by Thirdweb in this article:

https://blog.thirdweb.com/guides/nft-gated-website/

However, during installation of the Auth SDK, I get an error about NextJS13 conflict. I tried using legacy-peer-deps, however after installation, no data could be pulled from ThirdWebAuth. Might you know what's the issue here?