Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] Generated tokens are broadcast to all socket clients (by default) #126

Closed
t2t2 opened this Issue Mar 25, 2016 · 2 comments

Comments

Projects
None yet
3 participants
@t2t2
Copy link

t2t2 commented Mar 25, 2016

feathers-auth-broadcast

@daffl

This comment has been minimized.

Copy link
Member

daffl commented Mar 25, 2016

Oh dear. This can be fixed quickly though via:

app.service('auth/local').filter(() => false);

Which should probably be the default for all auth services (we don't need their events anwyay).
We were discussing turning off event dispatching by default so you have to enable it explicitly. It would be the more secure but also more confusing approach.

@ekryski

This comment has been minimized.

Copy link
Member

ekryski commented Mar 25, 2016

👍 @t2t2 thanks for pointing it out. I was aware of this and have a note in the code but forgot to create an issue and completely forgot about it!

We'll get a fix in for this soon. In the mean time anyone can lock down their services by doing what @daffl mentioned.

@ekryski ekryski added the Bug label Mar 26, 2016

@ekryski ekryski modified the milestones: 1.0, 0.7 Mar 26, 2016

@ekryski ekryski changed the title Generated tokens are broadcast to all socket clients (by default) [security] Generated tokens are broadcast to all socket clients (by default) Mar 26, 2016

@ekryski ekryski referenced this issue Mar 30, 2016

Merged

0.7 Release #139

17 of 17 tasks complete

@ekryski ekryski closed this in 44aa4c3 Mar 30, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.