Skip to content

fix: remove notification management token from URL query parameters#6229

Merged
JhaSourav07 merged 2 commits into
JhaSourav07:mainfrom
atul-upadhyay-7:fix/remove-token-from-query-params
Jun 21, 2026
Merged

fix: remove notification management token from URL query parameters#6229
JhaSourav07 merged 2 commits into
JhaSourav07:mainfrom
atul-upadhyay-7:fix/remove-token-from-query-params

Conversation

@atul-upadhyay-7

@atul-upadhyay-7 atul-upadhyay-7 commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Summary

Removes the query parameter fallback (managementToken, token) from getNotificationManagementToken(). The notification management token is now only accepted via:

  • x-notification-token HTTP header
  • managementToken field in the POST request body

Problem

URL query parameters are persisted and exposed through channels outside the application's security perimeter:

  • Server access logs — Vercel, nginx, CDN, and load balancer logs record full request URLs including query strings
  • HTTP Referer headers — If the page with the token loads any third-party resource, the full URL including the token leaks to that third party
  • CDN/proxy logs — Vercel's edge network and intermediate proxies log query strings

An attacker with access to any of these sources can obtain any user's management token and modify or delete their notification preferences.

Changes

  1. lib/notification-management-token.ts — Removed searchParams parameter and query parameter extraction logic from getNotificationManagementToken()
  2. app/api/notify/route.ts — Updated DELETE handler to stop passing searchParams to getNotificationManagementToken()
  3. lib/notification-management-token.empty-fallback.test.ts — Updated tests to verify query parameters are now ignored (security regression tests)

Testing

  • All 26 notification management token tests pass
  • All 5 DELETE route tests pass
  • All 5 mouse-interactivity tests pass
  • Lint passes (0 errors)

Fixes #6132

Human Coded

@atul-upadhyay-7
fix: remove notification management token from URL query parameters
d6acc1b 
Removes the query parameter fallback (managementToken, token) from
getNotificationManagementToken(). Tokens are now only accepted via:
- x-notification-token HTTP header
- managementToken field in the POST request body

URL query parameters are logged by servers, CDNs, and proxies,
and leaked via HTTP Referer headers, making them unsuitable for
sensitive tokens.

Fixes JhaSourav07#6132

Human Coded
@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

@atul-upadhyay-7 is attempting to deploy a commit to the jhasourav07's projects Team on Vercel.

A member of the Team first needs to authorize it.

@github-actions github-actions Bot added the status:blocked This PR is blocked due to a failing CI check. label Jun 21, 2026
@atul-upadhyay-7
fix: update test to pass management token via header instead of query…
308e6ba 
… param

The test for DELETE /api/notify was passing the management token via
URL query parameter, which is no longer supported after the security
fix. Updated the test to pass the token via x-notification-token header
and extended makeRequest to accept custom headers.

Fixes CI failure for PR JhaSourav07#6229
@github-actions github-actions Bot removed the status:blocked This PR is blocked due to a failing CI check. label Jun 21, 2026
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

📦 Next.js Bundle Size Report (Gzipped Sizes)

✨ No significant bundle size changes detected.

📊 Summary of Totals

Category PR Size Base Size Difference
Total JS 3697.00 KB 3697.00 KB 0 B
Total CSS 296.58 KB 296.58 KB 0 B

@Aamod-Dev Aamod-Dev added GSSoC 2026 mentor:Aamod007 level:intermediate Moderate complexity tasks quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security bug Something isn't working labels Jun 21, 2026
Aamod-Dev
Aamod-Dev approved these changes Jun 21, 2026
View reviewed changes

@Aamod-Dev Aamod-Dev left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great security improvement. Removing the token extraction from URL query parameters in lib/notification-management-token.ts prevents accidental exposure in proxy and server logs. The update to app/api/notify/route.test.ts nicely solidifies this new constraint. Approved!

@JhaSourav07 JhaSourav07 added the gssoc:approved PR has been reviewed and accepted for valid contribution points label Jun 21, 2026
@JhaSourav07 JhaSourav07 merged commit 80e8d0f into JhaSourav07:main Jun 21, 2026
11 of 12 checks passed
@github-actions github-actions Bot added this to the GSSoC 2026 milestone Jun 21, 2026
@github-actions

github-actions Bot commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

🎉 Congratulations @atul-upadhyay-7! Your PR has been successfully merged. 🚀

Thank you for contributing to CommitPulse. Your work helps us build a better tool for the community.

⚠️ Important for GSSoC Contributors:
You are strictly advised to join our Discord Server as it is mandatory for all GSSoC participants. All important announcements, point claims, and community discussions happen there.

Keep building! 💻✨

@github-actions github-actions Bot added the type:bug Something isn't working as expected label Jun 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Aamod-Dev Aamod-Dev Aamod-Dev approved these changes

Assignees

No one assigned

Labels

bug Something isn't working gssoc:approved PR has been reviewed and accepted for valid contribution points GSSoC 2026 level:intermediate Moderate complexity tasks mentor:Aamod007 quality:clean PR follows clean coding practices, proper formatting, documentation, and maintainability standards. security type:bug Something isn't working as expected

Projects

None yet

Milestone

GSSoC 2026

Development

Successfully merging this pull request may close these issues.

Notification management token exposed through URL query parameters

3 participants

@atul-upadhyay-7 @Aamod-Dev @JhaSourav07