Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[BUG] Session cookie received with API token #864
So this started out with me creating a chrome extension for the team to get notified when new alerts are created in hive. This works by pulling the API every 30 seconds to a minute and looking at the number of alerts and source references. (Yes I can publish this once its done). However I wanted to make a user with read only access and use the same API token for the extension for everyone on the team rather then sending each user their own token.. (I know probably not the best solution but it was a work in progress) However when i started playing with this I realized that it created a session with Hive and logged the UI into the same user that was making the API calls.. In one way this is very convenient because if you just use your API token you are always logged in :)
... However when i started to think about this more I started to see some issues with this because it would be easy for an admin to assume the role of any user and make calls via the UI (I dont think the audit trail shows if changes were made via UI or API - this would be useful too) I am also wondering how this would affect users when using other authentication methods like LDAP or X.509? Could you bypass MFA when using an SSO service that supports X.509 and MFA?
When making calls with an API token maybe don't return a session cookie? Or atleast a cookie that allows access to non-api calls?
Also in my use case it would be nice to be able to make API calls with out sending the API token in the headers (It seems like this might be doable for a quick test) and just use the current users session, thus forcing them to log back in if it has been too long.