I just logged into my dev server and noticed that I have an error.
And after checking my tenant, I noticed that someone logged in to my dev tenant.
My login was working fine after the issue resolution. Athorization stopped saving and started asking consent on localhost - #3 by nik.baleca
But now it is not working for the local environment again.
I cleared my site data, and the error has gone. But why does it start appearing if I had not encountered it before?
And how is it possible that someone logged in via my dev environment? Have my credentials leaked?
I just created new credentials for the dev tenant. But I would like to know if it was someone from support, or if I might have leaked credentials.
Thank you for reaching out to us!
I understand that you have found an error message of Unhandled promise rejection: Missing refresh token in your dev server, with the audience of a different email address than yours.
There are a couple of explanations which could indicate this just being an error and not that your credentials were compromised or that an attacker tried to access your environment:
based on the shared screenshot, it appears that the Username-Password-Authentication user has last logged in 2 years ago, with only 2 login counts → it could be a test user that was previously used;
as Auth0 supports Single Sign-On ( SSO ), it is possible to have accessed a different account in another tab or application and your browser maintained an active session with the Auth0 domain. When an attempt was made to log in your dev environment, the active cookie was passed to Auth0 in an attempt of authentication;
in case you do not recognize the email address, it is still not guaranteed that any credentials were leaked. When developing locally on localhost port, it is possible that working on a different project or repository ( or potentially a colleague’s work ) has created a mock Auth0 configuration with it’s own local tokens, or session variables in your browser’s storage. When the dev server was started, it might have pulled those unrecognized keys from the localhost 's shared storage and tried to use them.
For added security, we recommend checking the tenant’s logs and filtering for " Success Login " events. These would be clear indication of an attacker gaining access to your environment and would generally be accompanied by other logs under email or IP addresses that are not recognized. If this error does not return, it is likely to have been caused by stored data which were passed as audience during the login transaction.
Let us know if this helped with the issue, please do not hesitate reaching out for any further assistance.
Best regards,
Gerald
Ok, thank you. Now I see this. For some reason, I thought the last login was 2 days ago, and that’s why I started asking.
Yes, two years ago, I should have logged in by myself using a temporary email for testing purposes.
Thank you for the answer.
