Closed Bug 1187504 Opened 9 years ago Closed 9 years ago

Find a better way to handle user credentials in Bugzilla Auth Delegation flow

Categories

(Bugzilla :: User Accounts, enhancement, P1)

Product:
Bugzilla
Component:
User Accounts
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1175643

People

(Reporter: kohei, Unassigned)

Details

(Keywords: privacy) 

+++ This bug was initially created as a clone of Bug #1144468 +++

Today I felt nervous when I found someone's Bugzilla user name and API key on the BzDeck server's access log. I forgot the fact the URL params are stored as part of the log.

http://bugzilla.readthedocs.org/en/latest/integrating/auth-delegation.html
https://www.facebook.com/notes/bzdeck/update-to-our-privacy-policy/721026424689736

Once the user signs in, the app obtains his/her credentials anyway, but I wonder if there is a better way to transmit the info. Because URL params are logged in the plaintext format, anyone who has access to the server's access log can see and abuse them if they want.

Possible solutions to :

1. Send the params as POST data.

Pros: easy for Bugzilla to implement
Cons: JavaScript code cannot obtain the data

2. Send the params using the cross-origin Messaging API as I suggested in Bug 1144468 Comment 1.

Pros: easy for apps to implement
Cons: requires Bugzilla extra work; limited browser support (IE8+)

3. Send a time-limited, one-time token instead of API key

Pros: easy for apps to implement
Cons: requires Bugzilla extra work; still have a chance of abuse if the access log is monitored realtime

Any other ideas?
Isn't this a duplicate of bug 1175643?
Thanks!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.