Hacker News new | ask | show | jobs
by haxton 374 days ago
> Custom OAuth implementation with user registration/login

Please don't. At 2 minute glance you are allowing empty state (csrf) and bearer tokens in query string[0], not checking if token is expired or not[1], storing secrets in plain text / not salting[2], missing PKCE Validation, debug mode always on, redirect URL only checking if includes (127.0.0.1.evil.com works)[3] so much...

Please, please, please don't recommend this for any production usage.

[0] https://github.com/f/mcp-cloudflare-boilerplate/blob/master/... [1] https://github.com/f/mcp-cloudflare-boilerplate/blob/master/... [2] https://github.com/f/mcp-cloudflare-boilerplate/blob/master/... [3] https://github.com/f/mcp-cloudflare-boilerplate/blob/master/...
1 comments
fka 374 days ago
Thank you for bringing these out.

It’s just an initial version and a boilerplate, so it’s waiting for PRs to make it production-ready.

Hope to see someone opens PRs to fix these issues and make it better.

link