Closed
Bug 879748
Opened 11 years ago
Closed 11 years ago
Secure the /user/:id route in webmaker-loginapi
Categories
(Webmaker Graveyard :: Login, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: cade, Assigned: sedge)
Details
(Whiteboard: u=dev c=login p=1 s=2013w23)
Attachments
(2 files)
This route makes user data publicly available (including username and account status). It's gotta go, or if someone argues for it, protected in some manner. As it stands now it steps around the protection we placed on the Make API to not publicly expose user email accounts to the world. https://webmaker.mofostaging.net/user/cade https://webmaker.mofostaging.net/user/dude https://webmaker.mofostaging.net/user/Scott
Comment 1•11 years ago
|
||
I'd much prefer the route of making it more secure. For example, with 878774 I use the username that this module tacks onto the sessions for author now with Popcorn Maker. Can we just manually get it? Sure, but I like the idea of it simply being more secure or returning less important data. Infact, maybe it should be limited to tacking that username on session and not returning any actual data.
Reporter | ||
Comment 2•11 years ago
|
||
wow. If I'm logged in as myself (cade), I can hit that route with another user's id and make the server change the username on my session to another username.
Reporter | ||
Comment 3•11 years ago
|
||
here's how it changed my cookie: http://dl.dropbox.com/u/86269810/Screenshots/z~2b.png
Reporter | ||
Comment 4•11 years ago
|
||
( It should be ["username":"cade", ..} )
Assignee | ||
Comment 5•11 years ago
|
||
I think the best solution, that sticks to why this endpoint was first created, is to add an authentication middleware to the route in the webmaker-loginapi module. This middleware would: a) check if a persona session exists i.e. `if ( req.session.email )` b) use the webmaker-loginapi's `getUser()` method with `req.session.email` to retrieve the logged-in user's details c) compare the retrieved details against the `:id` being requested in the route to confirm it's the same user Otherwise, there are two possibilities: 1) We remove the route completely, and leave it to each app's developers to add the route manually (leads to inconsistency in return data and expected behavior = bad IMO) 2) Come up with a completely different solution that replaces the need for a '/user/:id' path on each server in the first place.
Assignee | ||
Comment 6•11 years ago
|
||
Also, if we choose the middleware option, we can modify the route logic to return a safe subset of the user's information instead of the entire user object.
Reporter | ||
Comment 7•11 years ago
|
||
(In reply to Kieran Sedgwick (:sedge) from comment #5) > a) check if a persona session exists i.e. `if ( req.session.email )` > b) use the webmaker-loginapi's `getUser()` method with `req.session.email` > to retrieve the logged-in user's details > c) compare the retrieved details against the `:id` being requested in the > route to confirm it's the same user I can get behind this proposal.
Comment 8•11 years ago
|
||
Yeah, I think that sounds sane. Put it on me for review when you've done that
Assignee | ||
Updated•11 years ago
|
Assignee: nobody → kieran.sedgwick
Summary: Remove the /user/:id route from webmaker-loginapi → Secure the /user/:id route in webmaker-loginapi
Whiteboard: u=dev c=login p=1 s=2013w23
Assignee | ||
Updated•11 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 9•11 years ago
|
||
https://github.com/mozilla/node-webmaker-loginapi/pull/14
Attachment #758621 -
Flags: review?(jon)
Comment 10•11 years ago
|
||
Comment on attachment 758621 [details] [review] [WIP] Pull request for this patch r-, notes in the pull request
Attachment #758621 -
Flags: review?(jon) → review-
Assignee | ||
Comment 11•11 years ago
|
||
Comment on attachment 758621 [details] [review] [WIP] Pull request for this patch https://github.com/mozilla/node-webmaker-loginapi/pull/14
Attachment #758621 -
Flags: review- → review?(jon)
Comment 12•11 years ago
|
||
Comment on attachment 758621 [details] [review] [WIP] Pull request for this patch This still won't provide any protection against visiting http://example.org/user/ksedge when I'm logged in as myself. See the pull request for more details, but this is a fundamentally broken API if it'll accept an email address, a webmaker username, or a webmaker id.
Attachment #758621 -
Flags: review?(jon) → review-
Assignee | ||
Comment 13•11 years ago
|
||
Comment on attachment 758621 [details] [review] [WIP] Pull request for this patch https://github.com/mozilla/node-webmaker-loginapi/pull/14
Attachment #758621 -
Flags: review- → review?(jon)
Comment 14•11 years ago
|
||
I don't think it event needs to be that complex. Take a look at this patch. The important part of both patches is that we take the email arguments from the session, which we trust. Other than that, this route already does what we need it to.
Updated•11 years ago
|
Attachment #758621 -
Flags: review?(jon) → review-
Assignee | ||
Comment 15•11 years ago
|
||
Okay, I can deal with that! If that's the case though, I would remove the ":userid" component of the route all together.
Comment 16•11 years ago
|
||
I would too, but then all of our consumers of this route would break
Assignee | ||
Comment 17•11 years ago
|
||
Ahhh touché! I'll leave it for backwards compatibility, and cut out the fluff in the implementation.
Assignee | ||
Comment 18•11 years ago
|
||
Comment on attachment 758621 [details] [review] [WIP] Pull request for this patch I cut out the userid stuff and touched up the readme.
Attachment #758621 -
Flags: review- → review?(jon)
Comment 19•11 years ago
|
||
Comment on attachment 758621 [details] [review] [WIP] Pull request for this patch r-, notes in pull request
Attachment #758621 -
Flags: review?(jon) → review-
Assignee | ||
Comment 20•11 years ago
|
||
Comment on attachment 758621 [details] [review] [WIP] Pull request for this patch https://github.com/mozilla/node-webmaker-loginapi/pull/14 Updated readme, fixed async return issues
Attachment #758621 -
Flags: review- → review?(jon)
Comment 21•11 years ago
|
||
Comment on attachment 758621 [details] [review] [WIP] Pull request for this patch r+ with nits, see PR
Attachment #758621 -
Flags: review?(jon) → review+
Assignee | ||
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Attachment mime type: text/plain → text/x-github-pull-request
You need to log in
before you can comment on or make changes to this bug.
Description
•