[GH-ISSUE #607] Unprotected Route : /sign/[token] #166

New issue

Closed

opened 2026-02-26 18:45:40 +03:00 by kerem · 3 comments

kerem commented 2026-02-26 18:45:40 +03:00

Owner

Copy link

Originally created by @raj-saroj-vst-au4 on GitHub (Oct 30, 2023).
Original GitHub issue: https://github.com/documenso/documenso/issues/607

Issue Description

The route or page /sign/[token] is unprotected.

Steps to Reproduce

1. Create a new document by uploading > add signers > add fields > add subject > send
2. From the /documents page > click on 'sign' for the doc
3. From the /sign page, copy the full url viz. https://app.documenso.com/sign/[token]...
4. From browser, Open a new incognito window and paste the url

Expected Behavior

Should've redirected to / or login route

Current Behavior

Allows unauthenticated user to sign

Screenshots (optional)

Environment

• OS: Deepin OS
• Browser: Brave
• Version: latest

Checklist

• I have searched the existing issues to make sure this is not a duplicate.
• I have provided steps to reproduce the issue.
• I have included relevant environment information.
• I have included any relevant screenshots.
• I understand that this is a voluntary contribution and that there is no guarantee of resolution.

Originally created by @raj-saroj-vst-au4 on GitHub (Oct 30, 2023). Original GitHub issue: https://github.com/documenso/documenso/issues/607 <!--- Please provide a general summary of the issue in the Title above --> ## Issue Description The route or page /sign/[token] is unprotected. ## Steps to Reproduce 1. Create a new document by uploading > add signers > add fields > add subject > send 2. From the /documents page > click on 'sign' for the doc 3. From the /sign page, copy the full url viz. https://app.documenso.com/sign/[token]... 4. From browser, Open a new incognito window and paste the url ## Expected Behavior Should've redirected to / or login route ## Current Behavior Allows unauthenticated user to sign ## Screenshots (optional)   ## Environment - OS: Deepin OS - Browser: Brave - Version: latest ## Checklist <!--- Please check the boxes that apply to this issue report. --> <!--- You can add or remove items as needed. --> - [x] I have searched the existing issues to make sure this is not a duplicate. - [x] I have provided steps to reproduce the issue. - [x] I have included relevant environment information. - [x] I have included any relevant screenshots. - [x] I understand that this is a voluntary contribution and that there is no guarantee of resolution.

kerem closed this issue 2026-02-26 18:45:41 +03:00

kerem commented 2026-02-26 18:45:41 +03:00

Author

Owner

Copy link

@catalinpit commented on GitHub (Oct 30, 2023):

Hello @raj-saroj-vst-au4, thanks for bringing this to our attention! However, this is the intended behavior. People should be able to sign a document with an account as well.

<!-- gh-comment-id:1785113556 --> @catalinpit commented on GitHub (Oct 30, 2023): Hello @raj-saroj-vst-au4, thanks for bringing this to our attention! However, this is the intended behavior. People should be able to sign a document with an account as well.

kerem commented 2026-02-26 18:45:41 +03:00

Author

Owner

Copy link

@raj-saroj-vst-au4 commented on GitHub (Oct 31, 2023):

But unwanted or random unathenticated people can also also sign my document & my dashboard shows status completed.

<!-- gh-comment-id:1786940344 --> @raj-saroj-vst-au4 commented on GitHub (Oct 31, 2023): But unwanted or random unathenticated people can also also sign my document & my dashboard shows status completed.

kerem commented 2026-02-26 18:45:41 +03:00

Author

Owner

Copy link

@Mythie commented on GitHub (Oct 31, 2023):

But unwanted or random unathenticated people can also also sign my document & my dashboard shows status completed.

That would require them knowing the signing token which would be incredibly hard unless a recipient leaked it prior to signing.

<!-- gh-comment-id:1786942188 --> @Mythie commented on GitHub (Oct 31, 2023): > But unwanted or random unathenticated people can also also sign my document & my dashboard shows status completed. That would require them knowing the signing token which would be incredibly hard unless a recipient leaked it prior to signing.

kerem referenced this issue 2026-02-26 18:48:50 +03:00

[PR #166] [MERGED] update: add new brand color as palette in tailwind config #770

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

chore/translations

feat/signing-required-field-colors

feat/add-field-overflow-settings

chore/extract-translations

release

feat/public-completed-document-access

feat/bulk-download

docs/signing-reminders

feat/document-file-conversion

feat/prefetch-intent-navigation-links

fix/lint-project

fix/replace-linter-with-biome

fix/security-improvements

perf/dynamic-import-posthog

deps/vite-8

chore/migrate-eslint-prettier-to-oxlint-oxfmt

chore/migrate-to-pnpm

feat/add-pdf-image-renderer

feat/add-embed-v2

fix/extract-emails

feat/table-toolbar-filters

copilot/sub-pr-2478

fix/recipients-send-500

feat/external-2fa-codes

feat/protect-signing-urls

fix/checkbox-checked-values

duncan/legacy-api-endpoints

chore/block-po-files-locally

fix/default-embed-v2-document-rejection-to-false

fix/fields-dialog-title-description

copilot/sub-pr-2323

copilot/sub-pr-2267

exp/autoplace-fields

chore/server-hostname-config

fix/template-add-signers

fix/add-field-drag-drop-colors

fix/envelope-updates

feat/allow-formdata

archive/1.13.2

copilot/add-billing-section-account-page

fix/field-coordinate-bounds

feat/update-user-via-admin-dashboard

feat/expiry-links

feat/team-dashboard

feat/change-radio-direction

feat/admin-create-user-with-org

archive/v1.12.11

feat/envelopes-polish

feat/add-attachments-reworked

fix/font-size-fields

feat/improve-resend-dialog

fix/download-certificate-audit-log-safari

fix/duplicate-document-by-id

feat/document-table-filters

fix/template-migration

exp/effect

fix/migrate-template-metadata

exp/keyboard-signature

feat/document-2fa-redo

feat/add-attachments

feat/billing-redirect-flow

fix/add-api-logging

fix/duplicate-document-template-review

feat/handle-redirectto-param

feat/document-processing-status-indicator

feat/customize-doc-audit-log-certificate

feat/document-2fa

feat/organisations-backup-pls

feat/audit-logs-on-completed-document

chore/webhook-trigger-multiselect

exp/bg

chore/single-signer-wording

fix/template-uploading

feat/bin-tab

fix/staging-test

feat/rr7

squish/rr7

archive/nextjs

power-signer

fix/field-placements

fix/team-member-invites

fix/checkbox-field-bugs

fix/leaderboard-query

fix/zapier-list-documents-endpoint

feat/dictate-signers

feat/allow-same-signer-email-multiple-times

wip/rr7-next

experiment/self-sign

fix/oidc-login-error

feat/document-qrcode

feat/mau

feat/copy-links-audit-logs

chore/december-dep-upgrades

wip/rr7

wip/rr7-auth-package

wip/rr7-better-auth-demo

experiment/what-if-user-ids-were-strings-instead-of-numbers

fix/refactor-api-routes

feat/add-owner-completed-email-setting

fix/embed-whitelabel-colors

feat/delete-archive

fun/sign-with-nose

expiry-links

chore/openpage-viral-metrics

fix/sitemap

feat/signing-reminder

feat/automated-fields-signature

feat/add-polish-translations

staging

fix/open-page

openpage-api-deploy

feat/pulumi

chore/angular-embed-docs

exp/next-15

chore/select-signer

feat/save-data-on-blur

feat/save-recipients-on-blur

feat/signature-color

feat/team-email-template

chore/documenso-url

chore/add-ctas

fix/docker-setup-and-documentation

fix/document-creation-timezone

feat/telemetry

feat/integration-animation

fix/render-deployment

feat/publicProfile

feat/redirect-templates

feat/passkey-dialog

fix/refactor-use-template

chore/resend-onUpdate

chore/subject-onBlur

fix/demo-trpc-duration

fix/self-signer-custom-email-message

fix/benchmark

feat/add-myself-as-signer-temp

feat/checkbox-type

feat/update-marketing-header

experiment/queue

feat/error-demo

feat/add-document-auth-options

feat/document-2fa-test

chore/status-widget

open-page-restructure

feat/document-passkey-test

chore/form-reset

fix/neon-db-migration-test

feat/public-profile

feat/launch-week-content

webhooks_plus_api

exp/custom-field-labels

feat/accept-text-signature

feat/document-version-history

fix/delete-recipient-owners

fix/whitespace-title

feat/refresh

exp/million

feat/doc-comments

ElTimuro-patch-1

feat/teams-slugify

pr/537

date-format-setting

exp/millionjs

feat/runtime-env

chore/next-14

feat/chat-with-documents

feat/plan-limits

fix/467-bugsafari-only-unable-to-copy-document-sharing-link

feat/admin-ui-manage-instance

feat/stripe-free-tier

fix/cascade-delete-share-links

feat/marketing-share-document

feat/single-player-mode-polish

feat/next-13-5-3

chore/github-templates

docs/render-deploy

chore/code-of-conduct

chore/team

feat/add-e2e-testing

docs/minor-readme-updatess

docs/dx

feat-early-adopters

feat/open-early-adopters

fix/432-signee-doc-version-doesnt-have-sticky-signing-area

fix/446-cancel-cta-does-nothing-when-a-signer-opens-the-document

fix/445-signer-name-not-persisting

feat/resend-transport

fix/incorrect-completed-stats

feat/update-email-templates

feat/mania

feat/copy-or-tweet

feat/add-design-system-page

feat/single-player-mode

feat/completed-share-link

feat/designsystem

feat/send-email

feat/custom-emails

blog/upcoming-blog-post

feat/single-player-mode-test

feat/reset-password

blog/selfhosting-blog-post

feat/redirect-signed-document

fix/og-description

feat/universal-upload

chore/readme

chore/blogposts

fix/building-documenso-description

feat/admin-ui-metrics

feat/avatar-fallback

feat/templates

feat/blog-post-next

fix/hide-user-selection

feat/disable-sign

feat/marketing-mobile-nav

chore/remove-console-log-warn

feat/add-email-field

fix/redirect-signin-to-dashboard

feat/blog-og-image

feat/redirect-on-send

feat/billing-page

feat/profile-password-form

fix/signature-color-dark-mode

feat/inbox

feat/promise-safety

readme

chore/reduce-refetch-time

feat/update-document-flow

feat/refactor-shared-components

feat/feature-flag

feat/document-authoring

feat/pie-chart-legend

feat/open-page

docs/add-gitpod-setup

docs/add-render-deploy

docs-coventional-commits

feat/table-actions

minor/updates-google-auth-refresh

feat/add-document-animation

feat/new-email-template

feat/password-reset

fix/send-error-double-send

fix/improve-stripe-webhook-endpoint

feat/support-custom-cert-paths

feat/DOC-170-add-name-field

fix/improve-general-styling

feat/DOC-210-sign-dialog-broken-on-second-opening

bugfix-#71/invalid-email-hint

chore/optimise-deps

test-pr

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.1

v2.7.0

v2.6.1

v2.6.0

v2.5.1

v2.5.0

v2.4.0

v2.3.2

v2.3.1

v2.3.0

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.13.2

v1.13.1

v1.13.0

v1.12.10

v1.12.9

v1.12.8

v1.12.7

v1.12.6

v1.12.5

v1.12.4

v1.12.3

v1.12.2-rc.6

v1.12.2-rc.5

v1.12.2-rc.4

v1.12.2-rc.3

v1.12.2-rc.2

v1.12.2-rc.1

v1.12.2-rc.0

v1.12.1

v1.12.0

v1.12.0-rc.8

v1.12.0-rc.7

v1.12.0-rc.6

v1.12.0-rc.5

v1.12.0-rc.4

v1.12.0-rc.3

v1.12.0-rc.2

v1.12.0-rc.1

v1.12.0-rc.0

v1.11.1

v1.11.0

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.10.0-rc.5

v1.10.0-rc.4

v1.10.0-rc.3

v1.10.0-rc.2

v1.10.0-rc.1

v1.10.0-rc.0

v1.9.1-rc.9

v1.9.1

v1.9.1-rc.8

v1.9.1-rc.7

v1.9.1-rc.6

v1.9.1-rc.5

v1.9.1-rc.4

v1.9.1-rc.3

v1.9.1-rc.2

v1.9.1-rc.1

v1.9.1-rc.0

v1.9.0

v1.9.0-rc.12

v1.9.0-rc.11

v1.9.0-rc.10

v1.9.0-rc.9

v1.9.0-rc.8

v1.9.0-rc.7

v1.9.0-rc.6

v1.9.0-rc.5

final-marketing-release

v1.9.0-rc.4

v1.9.0-rc.3

v1.9.0-rc.2

v1.9.0-rc.1

v1.9.0-rc.0

v1.8.1

v1.8.1-rc.9

v1.8.1-rc.8

v1.8.1-rc.7

v1.8.1-rc.6

v1.8.1-rc.5

v1.8.1-rc.4

v1.8.1-rc.3

v1.8.1-rc.2

v1.8.1-rc.1

v1.8.1-rc.0

v1.8.0-rc.4

v1.8.0

v1.8.0-rc.3

v1.8.0-rc.2

v1.8.0-rc.1

v1.8.0-rc.0

v1.7.2

v1.7.2-rc.4

v1.7.2-rc.3

v1.7.2-rc.2

v1.7.2-rc.1

v1.7.2-rc.0

v1.7.1-rc.3

v1.7.1

v1.7.1-rc.2

v1.7.1-rc.1

v1.7.1-rc.0

v1.7.0

v1.7.0-rc.5

v1.7.0-rc.4

v1.7.0-rc.3

v1.7.0-rc.2

v1.7.0-rc.1

v1.7.0-rc.0

v1.6.1

v1.6.1-rc.1

v1.6.1-rc.0

v1.6.0

v1.6.0-rc.3

v1.6.0-rc.2

v1.6.0-rc.1

v1.6.0-rc.0

v1.5.6

v1.5.6-rc.4

v1.5.6-rc.3

v1.5.6-rc.2

v1.5.6-rc.1

v1.5.6-rc.0

v1.5.5-rc.8

v1.5.5

v1.5.5-rc.7

v1.5.5-rc.6

v1.5.5-rc.5

v1.5.5-rc.4

v1.5.5-rc.3

v1.5.5-rc.2

v1.5.5-rc.1

v1.5.5-rc.0

v1.5.4-rc.5

v1.5.4

v1.5.4-rc.4

v1.5.4-rc.3

v1.5.4-rc.2

v1.5.4-rc.1

v1.5.4-rc.0

v1.5.3-rc.1

v1.5.3

v1.5.3-rc.0

v1.5.2-rc.8

v1.5.2

v1.5.2-rc.7

v1.5.2-rc.6

v1.5.2-rc.5

v1.5.2-rc.4

v1.5.2-rc.3

v1.5.2-rc.2

v1.5.2-rc.1

v1.5.2-rc.0

v1.5.1

v1.5.1-rc.0

v1.5.0-rc.6

v1.5.0

v1.5.0-rc.5

v1.5.0-rc.4

v1.5.0-rc.3

v1.5.0-rc.2

v1.5.0-rc.1

v1.5.0-rc.0

v1.4.0-rc.0

v1.4.0

v1.3.2-rc.0

v1.3.1-rc.2

v1.3.1

v1.3.1-rc.1

v1.3.1-rc.0

v1.3.0-rc.2

v1.3.0

v1.3.0-rc.1

v1.3.0-rc.0

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1

v1.0

v0.9

before-prettier

0.9-developer-preview

Labels

Clear labels   

Compliance

  

Stale

  

apps: marketing

  

apps: web

  

community

  

component: api

  

component: integrations

  

component: ui

  

duplicate

  

effort: low

  

effort: medium

  

good first issue

  

hacktoberfest

  

help wanted

  

needs triage

  

needs-replication

  

needs-testing

  

on-hold

  

osshack

  

priority: high

  

priority: low

  

priority: medium

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

roadmap

  

status: assigned

  

status: blocked

  

status: in progress

  

status: triage

  

type: bug

  

type: bug

  

type: bug

  

type: documentation

  

type: enhancement

  

type: feature

  

wontfix

  

💎 Bounty

  

💰 Rewarded

  

💰 Rewarded

No labels

Compliance

Stale

apps: marketing

apps: web

community

component: api

component: integrations

component: ui

duplicate

effort: low

effort: medium

good first issue

hacktoberfest

help wanted

needs triage

needs-replication

needs-testing

on-hold

osshack

priority: high

priority: low

priority: medium

pull-request

question

roadmap

status: assigned

status: blocked

status: in progress

status: triage

type: bug

type: bug

type: bug

type: documentation

type: enhancement

type: feature

wontfix

💎 Bounty

💰 Rewarded

💰 Rewarded

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/documenso#166

No description provided.