You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently the jwt authentication helper validates the jwt as a valid jwt issued by the anchor, but doesn't actually check which user is authenticating. This means anyone can access anyone elses information, such as transaction history, just by authenticating as themself, or any other stellar address.
Endpoints such as /transactions should get the stellar account from the jwt, rather than doing non-standard things like adding an account query parameter to choose who's info to return. /transactions?account=<> is not compliant with the spec and should be removed, using the sub account from the jwt instead.
The text was updated successfully, but these errors were encountered:
This was addressed in 0.9.5. There are still endpoint that should have JWT validation, but we don't want to pass the JWT in the URL. This issue is tracked in #17
Version 0.9.2
Currently the jwt authentication helper validates the jwt as a valid jwt issued by the anchor, but doesn't actually check which user is authenticating. This means anyone can access anyone elses information, such as transaction history, just by authenticating as themself, or any other stellar address.
Endpoints such as
/transactions
should get the stellar account from the jwt, rather than doing non-standard things like adding anaccount
query parameter to choose who's info to return./transactions?account=<>
is not compliant with the spec and should be removed, using thesub
account from the jwt instead.The text was updated successfully, but these errors were encountered: