Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't rely on me in the callback URL #79

Closed
aaronpk opened this issue Jul 1, 2017 · 3 comments
Closed

Don't rely on me in the callback URL #79

aaronpk opened this issue Jul 1, 2017 · 3 comments

Comments

@aaronpk
Copy link
Owner

aaronpk commented Jul 1, 2017

should get the me from the session to avoid being tricked into exchanging the auth code at some other server
@aaronpk aaronpk closed this as completed in e590c95 Jul 1, 2017
This was referenced Jul 1, 2017
Closed
Open
@barryf barryf mentioned this issue Jul 3, 2017
Closed
This was referenced Aug 18, 2017
Closed
Closed
@cweiske
Copy link
Contributor

cweiske commented Aug 18, 2017
edited

This breaks https://commentpara.de, which hands out different user URLs depending on their login.

You input https://commentpara.de/ as URL, and the auth endpoint returns https://commentpara.de/user/3.htm

@aaronpk
Copy link
Owner Author

aaronpk commented Aug 18, 2017
edited

@cweiske This is just about not using the me returned in the callback URL. Quill still uses the me returned from the POST request that gets an access token. It looks like commentpara.de is returning me=https://commentpara.de/ in the response but it should actually return the unique user URL for the user who logged in. cweiske/anoweco#3

@cweiske cweiske mentioned this issue Aug 18, 2017
Closed
@cweiske
Copy link
Contributor

cweiske commented Aug 18, 2017
edited

For reference: Taking "me" from the callback is not secure because the user could change/forge that.

aaronpk pushed a commit to indieweb/wiki that referenced this issue Dec 5, 2017
/* Response */ do not send me back to callback URL as it is unsafe a…
8ef4663 
…aronpk/Quill#79
aaronpk pushed a commit to indieweb/wiki that referenced this issue Dec 5, 2017
/* Redirect to web application */ do not send me back to callback U…
2c4a7fd 
…RL as it is unsafe aaronpk/Quill#79
@cweiske cweiske mentioned this issue Aug 24, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cweiske @aaronpk