Skip to content

Improve API security #250

New issue
New issue
Closed
Closed
Improve API security#250
Labels
type/feature
Milestone
0.1.0-beta.5
@tobyzerner

Description

@tobyzerner
tobyzerner
opened on Aug 27, 2015

Currently:

  • We expire API tokens after 1 hour
  • For tokens created by logging into Flarum's web app, we expire them after 14 days so that the user can be remembered via cookie
  • Logging out destroys all tokens

I would like to discuss:

  • The benefits of adopting a spec like OAuth2 in our case (JavaScript app can't keep a secret), as opposed to our simple token system.
  • Implementing a "sudo mode" for sensitive actions like changing emails, and using any admin function (edit/delete user, admin CP, etc.) This would basically get the user to enter their password in order to obtain a privileged token that is expired after 30 mins.
  • Any other things we should do to improve security of the API.

Metadata

Metadata

Assignees

No one assigned

    Labels

    type/feature

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions