Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chore: Strip JWT from URL once authenticated #113

Open
1 task
nelsonic opened this issue Feb 23, 2023 · 0 comments
Open
1 task

Chore: Strip JWT from URL once authenticated #113

nelsonic opened this issue Feb 23, 2023 · 0 comments
Assignees
@nelsonic
Labels
bug chore priority-1 T25m technical user-feedback

Comments

@nelsonic
Copy link
Member

As noted in dwyl/auth#268 the JWT for a successfully authentication session remains in the URL:
image

This is undesirable because if there was a malicious <link> on the page
or someone loaded an <img> on the page that made an outbound HTTP Request,
the JWT would be in the referrer header of the request
and thus the session could be compromised.
i.e. a malicious actor could just extract the JWT from their logs
and replay it to gain access to everything the person has saved in the dwyl App.

Note: this is not an "active exploit". We are still testing our MVP.
Nobody has stored any personal/private/important data in the MVP
and there has not been any indication of anyone malicious attempting to "steal" a JWT.
I am opening this issue proactively to resolve this before it becomes an exploit.

Todo

  • Strip jwt from URL once the session has been established.

Note: this will be rolled into the V2 update "Coming Soon" ... 🔜
So please ignore it until then. 👌
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nelsonic nelsonic

Labels
bug chore priority-1 T25m technical user-feedback
Projects
dwyl app kanban
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nelsonic