Skip to content

Screen Auth: Validation of temp tokens #739

Open
mikldt opened this Issue Oct 9, 2013 · 1 comment

3 participants

@mikldt
Concerto Digital Signage member
mikldt commented Oct 9, 2013

This is a low-priority security issue, more of a potential nuissance than a potential exploit.

The screen auth API should find a way to validate that temp tokens were really issued by the server, preventing an attacker who can see the screen during configuration, or even just guess the temp token, from impersonating the newly-authorized screen before it gets its permanent token.

This needs to work without cookies, since we're allowing a dumb client for these API requests.

@mikldt mikldt was assigned Oct 9, 2013
@simplysoft

For me it's not quite clear why even a temp token exists.
strictly speaking it is not necessary for the server to provide any temp token. The screen could very well just generate an authentication token on his own and display it to the user. An administrator can then just setup the screen with that token. This would solve the problem about exposing a temporary token.

Another problem is that concerto-hardware is deliberately modifying temp / auth token to recognize the screen as a hardware players, so validation might be not that straight forward

@augustf augustf modified the milestone: Concerto 2.3 (Frontend) Nov 26, 2014
@mikldt mikldt was unassigned by augustf Mar 24, 2015
@mikldt mikldt was assigned by augustf Aug 21, 2015
@augustf augustf modified the milestone: 2.31 Sep 13, 2015
@augustf augustf modified the milestone: 2.3.2 Dec 9, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.