fsfe-system-hackers
/
fsfe-cd
14
2
Fork 2
Code Issues 34 Pull Requests 12 Projects Wiki Activity

WIP: hotfixing invalidated login links #158

Closed
linus wants to merge 3 commits from hotfix-invalidated-login-links into master
pull from: hotfix-invalidated-login-links
merge into: fsfe-system-hackers:master
Conversation 7 Commits 3 Files Changed 3 +2 -6
linus commented 2022-03-09 14:45:25 +00:00
Owner
Copy Link

This fixes #129 and also fsfe-system-hackers/forms#12. It's quick and dirty and I'll see whether I can find a better solution.

I wonder though whether this meaningfully decreases security against the (quite insecure) status quo and if so how.

This fixes https://git.fsfe.org/fsfe-system-hackers/fsfe-cd/issues/129 and also https://git.fsfe.org/fsfe-system-hackers/forms/issues/12. It's quick and dirty and I'll see whether I can find a better solution. I wonder though whether this meaningfully decreases security against the (quite insecure) status quo and if so how.
linus added 3 commits 2022-03-09 14:45:26 +00:00
ff7b7b47ee remove token deletion on successful authentication 
This removes the invalidation of the login token upon successful
authentication via passwordless e-mail
continuous-integration/drone/push Build is passing Details
continuous-integration/drone/pr Build is passing Details
fb40ae4bc3 remove misleading e-mail text
max.mehl commented 2022-03-09 14:51:19 +00:00
Owner
Copy Link

Thanks for coming up with this hot fix for a known bug.

My perspective is that it does not worsen the situation. If mails are intercepted, it does not really matter IMHO whether a link can be used only once. It's just a bit uncommon I think.

The only possible additional attack vector would be that someone who cannot read the email but the user's traffic (e.g. by sniffing) could extract the GET parameter of the one-time login and use it themselves. However, whoever can sniff network traffic could also read the unencrypted email. The user would just lose a "warning sign" if they actually would care about it – which I doubt for 99% of the users.

Of course, this is no silver bullet to the more fundamental rework of the FSFE-wide authentication system.

Thanks for coming up with this hot fix for a known bug. My perspective is that it does not worsen the situation. If mails are intercepted, it does not really matter IMHO whether a link can be used only once. It's just a bit uncommon I think. The only possible additional attack vector would be that someone who cannot read the email but the user's traffic (e.g. by sniffing) could extract the GET parameter of the one-time login and use it themselves. However, whoever can sniff network traffic could also read the unencrypted email. The user would just lose a "warning sign" if they actually would care about it – which I doubt for 99% of the users. Of course, this is no silver bullet to the more fundamental rework of the FSFE-wide authentication system.
reinhard commented 2022-03-09 15:22:43 +00:00
Owner
Copy Link

I think this fix is acceptable. I don't see how it would fix fsfe-system-hackers/forms#12, though.

I think this fix is acceptable. I don't see how it would fix fsfe-system-hackers/forms#12, though.
linus changed title from WIP: hotfixing invalidated login tokens by link-followers to WIP: hotfixing invalidated login links 2022-03-09 16:27:08 +00:00
linus commented 2022-03-09 16:33:14 +00:00
Author
Owner
Copy Link

I think this fix is acceptable. I don't see how it would fix fsfe-system-hackers/forms#12, though.

It would do so by the link not being invalidated upon successful authentication with it. But I already openened a PR with a more comprehensive fix for this issue: #159

> I think this fix is acceptable. I don't see how it would fix fsfe-system-hackers/forms#12, though. It would do so by the link not being invalidated upon successful authentication with it. But I already openened a PR with a more comprehensive fix for this issue: https://git.fsfe.org/fsfe-system-hackers/fsfe-cd/pulls/159
reinhard commented 2022-03-09 16:53:04 +00:00
Owner
Copy Link

I'll have a look at #159 soon, but I think regarding fsfe-system-hackers/forms#12 there's a misunderstanding: that issue is not about the login links, but about the confirmation links for double opt-in, completely handled in fsfe-forms.

I'll have a look at #159 soon, but I think regarding fsfe-system-hackers/forms#12 there's a misunderstanding: that issue is not about the login links, but about the confirmation links for double opt-in, completely handled in fsfe-forms.
linus commented 2022-03-10 07:17:08 +00:00
Author
Owner
Copy Link

I'll have a look at #159 soon, but I think regarding fsfe-system-hackers/forms#12 there's a misunderstanding: that issue is not about the login links, but about the confirmation links for double opt-in, completely handled in fsfe-forms.

Yes! I'm sorry for the confusion. I don't know a lot about forms, so I made unfounded assumptions.

> I'll have a look at #159 soon, but I think regarding fsfe-system-hackers/forms#12 there's a misunderstanding: that issue is not about the login links, but about the confirmation links for double opt-in, completely handled in fsfe-forms. Yes! I'm sorry for the confusion. I don't know a lot about `forms`, so I made unfounded assumptions.
linus added this to the (deleted) milestone 2022-03-14 09:59:06 +00:00
linus self-assigned this 2022-03-15 13:05:43 +00:00
linus commented 2022-03-15 13:06:20 +00:00
Author
Owner
Copy Link

@reinhard @max.mehl Let me know if I should close this in favour of #159

@reinhard @max.mehl Let me know if I should close this in favour of #159
reinhard commented 2022-03-22 13:00:53 +00:00
Owner
Copy Link

Yes, I think #159 is the by far better solution.

Yes, I think #159 is the by far better solution.
linus closed this pull request 2022-04-04 14:34:27 +00:00
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
auth

Everything related to the authentication server

  
back

Everything related to the backend server

  
bug

Something is not working

  
ci/cd

Everything related to the CI/CD pipeline

  
docs

Everything related to the documentation

  
duplicate

This issue or pull request already exists

  
dx

Everything related to the developer experience

  
enhancement

New feature

  
front

Everything related to the frontend

  
help wanted

Need some help

  
invalid

Something is wrong

  
mail

Everything related to the sending of mails

  
newsletter

issues that are related to the newsletter functionality (sending, formatting, subscription ...)

  
openpgp ca

   
ops

Everything related to internal operations of some sort

  
question

More information is needed

  
ui/ux

Everything related to the user interface and experience

  
wontfix

This won't be fixed

No Label
auth
back
bug
ci/cd
docs
duplicate
dx
enhancement
front
help wanted
invalid
mail
newsletter
openpgp ca
ops
question
ui/ux
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
linus
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: fsfe-system-hackers/fsfe-cd#158
No description provided.
Delete Branch "hotfix-invalidated-login-links"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?