WIP: hotfixing invalidated login links #158
No reviewers
Labels
No Label
auth
back
bug
ci/cd
docs
duplicate
dx
enhancement
front
help wanted
invalid
mail
newsletter
openpgp ca
ops
question
ui/ux
wontfix
No Milestone
No project
No Assignees
3 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: fsfe-system-hackers/fsfe-cd#158
Loading…
Reference in New Issue
No description provided.
Delete Branch "hotfix-invalidated-login-links"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This fixes #129 and also fsfe-system-hackers/forms#12. It's quick and dirty and I'll see whether I can find a better solution.
I wonder though whether this meaningfully decreases security against the (quite insecure) status quo and if so how.
Thanks for coming up with this hot fix for a known bug.
My perspective is that it does not worsen the situation. If mails are intercepted, it does not really matter IMHO whether a link can be used only once. It's just a bit uncommon I think.
The only possible additional attack vector would be that someone who cannot read the email but the user's traffic (e.g. by sniffing) could extract the GET parameter of the one-time login and use it themselves. However, whoever can sniff network traffic could also read the unencrypted email. The user would just lose a "warning sign" if they actually would care about it – which I doubt for 99% of the users.
Of course, this is no silver bullet to the more fundamental rework of the FSFE-wide authentication system.
I think this fix is acceptable. I don't see how it would fix fsfe-system-hackers/forms#12, though.
WIP: hotfixing invalidated login tokens by link-followersto WIP: hotfixing invalidated login linksIt would do so by the link not being invalidated upon successful authentication with it. But I already openened a PR with a more comprehensive fix for this issue: #159
I'll have a look at #159 soon, but I think regarding fsfe-system-hackers/forms#12 there's a misunderstanding: that issue is not about the login links, but about the confirmation links for double opt-in, completely handled in fsfe-forms.
Yes! I'm sorry for the confusion. I don't know a lot about
forms
, so I made unfounded assumptions.@reinhard @max.mehl Let me know if I should close this in favour of #159
Yes, I think #159 is the by far better solution.
Pull request closed