Closed
Bug 1187504
Opened 9 years ago
Closed 9 years ago
Find a better way to handle user credentials in Bugzilla Auth Delegation flow
Categories
(Bugzilla :: User Accounts, enhancement, P1)
Bugzilla
User Accounts
Tracking
()
RESOLVED
DUPLICATE
of bug 1175643
People
(Reporter: kohei, Unassigned)
Details
(Keywords: privacy)
+++ This bug was initially created as a clone of Bug #1144468 +++ Today I felt nervous when I found someone's Bugzilla user name and API key on the BzDeck server's access log. I forgot the fact the URL params are stored as part of the log. http://bugzilla.readthedocs.org/en/latest/integrating/auth-delegation.html https://www.facebook.com/notes/bzdeck/update-to-our-privacy-policy/721026424689736 Once the user signs in, the app obtains his/her credentials anyway, but I wonder if there is a better way to transmit the info. Because URL params are logged in the plaintext format, anyone who has access to the server's access log can see and abuse them if they want. Possible solutions to : 1. Send the params as POST data. Pros: easy for Bugzilla to implement Cons: JavaScript code cannot obtain the data 2. Send the params using the cross-origin Messaging API as I suggested in Bug 1144468 Comment 1. Pros: easy for apps to implement Cons: requires Bugzilla extra work; limited browser support (IE8+) 3. Send a time-limited, one-time token instead of API key Pros: easy for apps to implement Cons: requires Bugzilla extra work; still have a chance of abuse if the access log is monitored realtime Any other ideas?
Comment 1•9 years ago
|
||
Isn't this a duplicate of bug 1175643?
Reporter | ||
Comment 2•9 years ago
|
||
Thanks!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•