Merge pull request #5314 from hypothesis/admin-auth-client-warning

Add security warning on admin/create-oauth-client form
hypothesis · Sep 26, 2018 · 2b1f5bd · 2b1f5bd
2 parents 2c85928 + dfeda28
commit 2b1f5bd
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 0 deletions.
diff --git a/h/static/styles/admin.scss b/h/static/styles/admin.scss
@@ -13,6 +13,7 @@
 @import 'partials/search-form';
 @import 'partials/svg-icon';
 @import 'partials/tooltip';
+@import 'partials/warning-box';
 
 .flashbar {
   margin-top: 20px;

diff --git a/h/static/styles/partials/_warning-box.scss b/h/static/styles/partials/_warning-box.scss
@@ -0,0 +1,9 @@
+.warning-box {
+  background-color: #fff4aa;
+  border: 1px solid orange;
+  border-radius: 3px;
+  margin-bottom: 20px;
+  padding-left: 10px;
+  padding-right: 10px;
+}
+
diff --git a/h/templates/admin/oauthclients_create.html.jinja2 b/h/templates/admin/oauthclients_create.html.jinja2
@@ -4,5 +4,20 @@
 {% set page_title = 'Create OAuth client' %}
 
 {% block content %}
+<div class="warning-box">
+  <h3>Security Warning</h3>
+
+  <p>Be especially careful and thoughtful when creating OAuth clients with grant type of
+  <code>client_credentials</code> (a.k.a. "auth_client" credentials), as these grant
+  significant powers:</p>
+
+  <ul>
+    <li>Do not store this type of credentials in unencrypted form; share them securely only with their intended users.</li>
+    <li>These credentials grant the ability to create and manipulate all users and other resources (groups, e.g.) within <strong>an entire authority</strong>.</li>
+    <li>These credentials are intended for third parties. Creating <code>client_credentials</code>
+        for the "hypothes.is" authority would grant keys to the entire kingdom of first-party users.</li>
+  </ul>
+</div>
+
   {{ form }}
 {% endblock content %}