You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I checked the obs browser pages (alerts and polls) and saw that the authToken for the websocket is stored within a js file globally readable.
The authToken should be generated (or stored in botconfig) onetime which is then appended to the browser source url as a GET-Parameter.
It could also be a button to generate / regenerate the authToken within the panel.
Yes, the authToken is then present within the Link, but as a streamer the browser source url is not shown.
Currently, any user who knows a phantombot url can just connect to the websocket and send commands without authentication.
The text was updated successfully, but these errors were encountered:
I do not really understand why the given changes makes the socket read only, but also if i assume it is now read only, read only means that any user could ready things he should not be able to.
For me this Issue is not closed, the auth key is still not present in the browser url, instead it is directly injected for everyone who knows the url.
I checked the obs browser pages (alerts and polls) and saw that the authToken for the websocket is stored within a js file globally readable.
The authToken should be generated (or stored in botconfig) onetime which is then appended to the browser source url as a GET-Parameter.
It could also be a button to generate / regenerate the authToken within the panel.
Yes, the authToken is then present within the Link, but as a streamer the browser source url is not shown.
Currently, any user who knows a phantombot url can just connect to the websocket and send commands without authentication.
The text was updated successfully, but these errors were encountered: