Bearer access token transmitted in URL query string (logged by every proxy/CDN) #33
Description
- Context: Cloud / Both
- Category: Secret Leakage / Interception
- Severity: 🟠 High
Evidence
Multiple API routes accept the OAuth Bearer token as a URL query parameter:
// components/map/country-conflicts-modal.tsx
url.searchParams.set("accessToken", accessToken);
// components/search/entity-search.tsx
url.searchParams.set("accessToken", accessToken);These URLs are then requested by the browser, resulting in request lines such as:
GET /api/entities?name=Hezbollah&accessToken=ey...long_token...&stream=true HTTP/1.1
GET /api/countries/conflicts?country=Iran&accessToken=ey...long_token... HTTP/1.1
Token exposure surfaces:
| Surface | Visibility |
|---|---|
| CDN / reverse proxy access logs (nginx, Cloudflare, AWS ALB) | ✅ Logged by default |
| Next.js server-side request logging | ✅ Logged |
| Browser history | ✅ URL stored |
Referer header on cross-origin sub-requests |
✅ Token leaked to third parties |
| Browser dev-tools Network tab (accessible to extensions) | ✅ Visible |
| APM/tracing tools (Datadog, Sentry, New Relic) | ✅ Captured in trace spans |
Standard practice: Bearer tokens must be transmitted exclusively in the Authorization HTTP header, which is stripped from logs by default.
Affected files: components/map/country-conflicts-modal.tsx, components/search/entity-search.tsx, app/api/entities/route.ts, app/api/countries/conflicts/route.ts, app/api/deepresearch/[taskId]/route.ts