Reset secret of web app that could have been exposed by Doorkeeper #13688
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
What about other apps? |
Well, we couldn't possibly do anything about them on source code level, like if you forcefully reset a secret and the app developer doesn't know about it then the app is as good as useless. App devs have to handle this themselves. It must also be noted that because of the federated nature of Mastodon most user-facing apps are dynamically created by the user's app on their own device, which is also the only person such a secret would be exposed to by the Doorkeeper vulnerability. So there is no risk and no need for rotation there. The only apps that would be endangered by this are server-side apps like Mastodon/Twitter cross-posters that manage many users at once. |
There are no obvious ways it could be misused, as the secret is not really used for anything, but it is best to secure it for the future Follow-up to #13613
Gargron
force-pushed
the
fix-reset-superapp-secret
branch
from
c722721
to
3a50676
Compare
ClearlyClaire
approved these changes
May 10, 2020
shouo1987
pushed a commit
to CrossGate-Pawoo/mastodon
that referenced
this pull request
May 19, 2020
…astodon#13688) There are no obvious ways it could be misused, as the secret is not really used for anything, but it is best to secure it for the future Follow-up to mastodon#13613
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There are no obvious ways it could be misused, as the secret is not
really used for anything, but it is best to secure it for the future
Follow-up to #13613