-
Notifications
You must be signed in to change notification settings - Fork 5.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A way to disable configureLoginService method altogether #7745
Comments
Hi all - just reviewing this issue a bit. Currently, there are safeguards in place to prevent the following (extracted from 3720106):
The problem that remains (as I understand it) is covered under the following scenario:
Given the above scenario, how would we go about locking this down? The |
(I took the liberty of replacing Mallory and Bob names in above scenario, because in many such scenarios Mallory stands for a malicious one.) |
Yes, the above scenario explains it well. The existing code does not seem to protect it. What I would do is simple allow one to ship an app without Personally, I would do it so that if no For myself, I would also be OK with opting out. But that is less safe in general if you do not know about it. |
Thanks @mitar - I prefer the opt-in approach as well. This sounds great! |
So, just to be clear, opt-in has slight backwards incompatibility if you have been relying on it being present in the base package, but not using ui package. But I think it is worth it. |
To help provide a more clear separation between feature requests and bugs, and to help clean up the feature request backlog, Meteor feature requests are now being managed under the https://github.com/meteor/meteor-feature-requests repository. Migrated to meteor/meteor-feature-requests#13. |
I do not like how there is a
configureLoginService
method available which allows configuring service the first time without any permission checks. This means that anyone who installs my app and does not configure all services my app otherwise integrates (and uses their packages) can get their services configured by somebody, no? And this could then open others to login into the app using a different authentication mechanism then expected.The text was updated successfully, but these errors were encountered: