-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move login flow to accounts website. #4964
Move login flow to accounts website. #4964
Conversation
@@ -4,7 +4,7 @@ | |||
<meta charset="utf-8" /> | |||
<meta | |||
http-equiv="Content-Security-Policy" | |||
content="font-src 'self' data:; default-src * insomnia://*; img-src blob: data: * insomnia://*; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src blob: data: mediastream: * insomnia://*;" | |||
content="font-src 'self' data:; connect-src * data:; default-src * insomnia://*; img-src blob: data: * insomnia://*; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src blob: data: mediastream: * insomnia://*;" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: This is to allow for fast ArrayBuffer base64 computation via fetch
and blob. It is a bit of a hack, but the approach is very fast in both Electron and the browser. I sincerely believe there is no security implication of adding data:
to connect-src`, but I am not 100% certain of this.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as off-topic.
This comment was marked as off-topic.
d8a0e7a
to
139c295
Compare
139c295
to
bc4dd93
Compare
Does the session expiration flow still say "...continue using Insomnia Plus"? If so, "Insomnia Plus" isn't a thing anymore so we should figure out different language. |
This is from the API, not this PR, so it will be fixed whenever the change is deployed in the backend. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
bc4dd93
to
2220807
Compare
5f8d4aa
to
6d0cd96
Compare
OK, I could probably get more reviews to be safe, but I actually feel pretty confident with the state we got it in, so I'm going to just go for the merge. Thanks everyone. |
UI
The UI from the application side looks like this.
Login Modal
Initial State
Enter Manual Token
Rationale
Our intent with this PR is to unify the SRP handshake and key derivation in one place. To spell it out explicitly, the intent of this PR is not to obfuscate the login process from the public, but just to make the app more flexible so that we can implement additional features to login without needing to duplicate it between the app and the accounts website.
Security
The security model of this new login process has some implications. The general flow works like this:
insomnia://
deep-link containing a sealed box with the derived key and session token.Though this removes both SRP and key derivation from the app side of the login flow, some code in the app still needs to deal with SRP and the key derivation process for the time being; this will be dealt with in the future, allowing us to remove a significant amount of code and some dependencies. For now, the remainder of session code is unchanged.
There are a few assumptions:
This login flow is assumed to be secure with those assumptions.
Here are some example scenarios:
insomnia://
protocol to be able to steal the tokens directly out of the automatic flow. This is unlikely in cases where the computer is not compromised. (They could still try to convince the user to copy and paste the token into an attacker-controlled input.)changelog(Improvements): Login flow is now done using the app.insomnia.rest website