Remove user secret key from encrypted session token #652

Alevsk · 2021-03-17T22:56:39Z

User secret key is not really need it to be stored inside the encrypted
session key, since the change-password endpoint requires the user to
provide the current secret key that password will be used to
initialize a new minio client then we will leverage on the
SetUser operation, this api only works with actual user credentials
and not sts credentials

User secret key is not really need it to be stored inside the encrypted session key, since the `change-password` endpoint requires the user to provide the current `secret key` that password will be used to initialize a new minio client then we will leverage on the `SetUser` operation, this api only works with actual user credentials and not sts credentials

Alevsk self-assigned this Mar 17, 2021

Alevsk force-pushed the change-password-refactor branch from ef05054 to 0ae9f92 Compare March 17, 2021 22:57

Alevsk requested review from aead, dvaldivia, harshavardhana and bexsoft March 17, 2021 22:57

Alevsk added the security label Mar 17, 2021

Alevsk linked an issue Mar 17, 2021 that may be closed by this pull request

Remove user secret key from encrypted session token #651

Closed

Alevsk force-pushed the change-password-refactor branch from 0ae9f92 to b5c3201 Compare March 17, 2021 23:18

dvaldivia approved these changes Mar 17, 2021

View reviewed changes

aead approved these changes Mar 18, 2021

View reviewed changes

dvaldivia merged commit c48a024 into minio:master Mar 18, 2021

Alevsk deleted the change-password-refactor branch March 18, 2021 17:42

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remove user secret key from encrypted session token #652

Remove user secret key from encrypted session token #652

Alevsk commented Mar 17, 2021

Remove user secret key from encrypted session token #652

Remove user secret key from encrypted session token #652

Conversation

Alevsk commented Mar 17, 2021