Comments (5)
@ayushn21 thank you for taking the time to post this since I think it's valuable information. Since the API mentions that using a singed_id
is "... particularly useful for things like password reset or email verification", I'm not too concerned. If the secret_key_base
becomes compromised I'd imagine that the application would be vulnerable to multiple attacks.
However, I do think it's worth keeping this issue open to raise awareness and keep the conversation going. Thanks again!
from rails-authentication-from-scratch.
I appreciate you taking the time to highlight this though. I'm learning a lot!
from rails-authentication-from-scratch.
Also worth mentioning is that the same flaw exists if the session_token
and remember_token
are stored in plain text in the database. Again I'm assuming that an attacker has access to the database and secret_key_base
. If somehow they do, then they can forge sessions and impersonate any user.
If those tokens are also stored with has_secure_password
then the above loophole is closed as they won't have the plain text tokens they need to put into their forged cookie.
from rails-authentication-from-scratch.
particularly useful for things like password reset or email verification", I'm not too concerned
Yeah absolutely. In 99.9%, or even 99.99% of cases I'm sure it'd be totally fine!
If the secret_key_base becomes compromised I'd imagine that the application would be vulnerable to multiple attacks.
For sure. The app would be at serious risk if the key base was compromised. My aim with this issue was to suggest a method to minimise the exposure until a new key base can be deployed. Again making some serious assumptions about the attacker having access to sensitive information so this is all pretty low-risk "worst case scenario" stuff so just worth a chat about I reckon :)
from rails-authentication-from-scratch.
Happy to help! :)
from rails-authentication-from-scratch.
Related Issues (20)
- Prevent leaking email addresses when user is not confirmed
- Add status: :unprocessable_entity to all failed render responses
- Replace password_reset_token with signed_id
- Abstract this into a generator. HOT 1
- Update mailer previews
- Email Validations HOT 3
- Allow user to have multiple sessions
- Allow user to view active sessions
- Allow user to manually destroy specific sessions
- Use correct input type when collecting email addresses
- Link to this repository from the Devise README HOT 1
- Forget user when deleting an associated active session
- Update README to reference the generator
- Amazing Guide HOT 1
- Fix `current_user` test helper. HOT 3
- Confirmation token can be re-used before it expires
- Limit remember cookie to httponly HOT 1
- Confused about `request.local?` HOT 1
- Why is the ||= removed? current_user method HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rails-authentication-from-scratch.