mirror of
https://github.com/spiral-project/ihatemoney.git
synced 2025-04-28 17:32:38 +02:00
Update security docs for the new feed token
This commit is contained in:
Baptiste Jonglez
parent
ad5b108ec0
commit
28bb8931e4
2 changed files with 26 additions and 14 deletions
|
|
@ -11,18 +11,19 @@ expenses in the first place!
|
|||
That being said, there are a few mechanisms to limit the impact of a
|
||||
malicious member and to manage changes in membership (e.g. ensuring that
|
||||
a previous member can no longer access the project). But these
|
||||
mechanisms don\'t prevent a malicious member from breaking things in
|
||||
mechanisms don't prevent a malicious member from breaking things in
|
||||
your project!
|
||||
|
||||
## Security model
|
||||
|
||||
A project has three main parameters when it comes to security:
|
||||
A project has four main parameters when it comes to security:
|
||||
|
||||
- **project identifier** (equivalent to a \"login\")
|
||||
- **private code** (equivalent to a \"password\")
|
||||
- **token** (cryptographically derived from the private code)
|
||||
- **auth token** (cryptographically derived from the private code)
|
||||
- **feed token** (also cryptographically derived from the private code)
|
||||
|
||||
Somebody with the private code can:
|
||||
Somebody with the **private code** can:
|
||||
|
||||
- access the project through the web interface or the API
|
||||
- add, modify or remove bills
|
||||
|
|
@ -31,7 +32,7 @@ Somebody with the private code can:
|
|||
- change the email address associated to the project
|
||||
- change the private code of the project
|
||||
|
||||
Somebody with the token can manipulate the project through the API to do
|
||||
Somebody with the **auth token** can manipulate the project through the API to do
|
||||
essentially the same thing:
|
||||
|
||||
- access the project
|
||||
|
|
@ -40,10 +41,13 @@ essentially the same thing:
|
|||
- change the email address associated to the project
|
||||
- change the private code of the project
|
||||
|
||||
The token can also be used to build \"invitation links\". These links
|
||||
The auth token can also be used to build "invitation links". These links
|
||||
allow to login on the web interface without knowing the private code,
|
||||
see below.
|
||||
|
||||
Somebody with the **feed token** can only access a read-only view of the project
|
||||
through a RSS feed (at `/<project_id>/feed/<token>.xml`).
|
||||
|
||||
## Giving access to a project
|
||||
|
||||
There are two main ways to give access to a project to a new person:
|
||||
|
|
@ -57,25 +61,33 @@ The second method is interesting because it does not reveal the private
|
|||
code. In particular, somebody that is logged-in through the invitation
|
||||
link will not be able to change the private code, because the web
|
||||
interface requires a confirmation of the existing private code to change
|
||||
it. However, a motivated person could extract the token from the
|
||||
it. However, a motivated person could extract the auth token from the
|
||||
invitation link, use it to access the project through the API, and
|
||||
change the private code through the API.
|
||||
|
||||
## Removing access to a project
|
||||
|
||||
If a person should no longer be able to access a project, the only way
|
||||
is to change the private code.
|
||||
is to change the private code for the whole project.
|
||||
|
||||
This will also automatically change the token: old invitation links
|
||||
won\'t work anymore, and anybody with the old token will no longer be
|
||||
able to access the project through the API.
|
||||
This will prevent anybody from logging in with the old private code.
|
||||
However, anybody with an existing session cookie will still have
|
||||
access to the project. This is a [known issue](https://github.com/spiral-project/ihatemoney/issues/857)
|
||||
that should be fixed.
|
||||
|
||||
Changing the private code will automatically change the auth token:
|
||||
old invitation links won't work anymore, and anybody with the old token
|
||||
will no longer be able to access the project through the API.
|
||||
|
||||
This will also automatically change the feed token, so that existing
|
||||
links to the RSS feed for the project will no longer work.
|
||||
|
||||
## Recovering access to a project
|
||||
|
||||
If the private code is no longer known, the creator of the project can
|
||||
still recover access. He/she must have provided an email address when
|
||||
creating the project, and Ihatemoney can send a reset link to this email
|
||||
address (classical \"forgot your password\" functionality).
|
||||
address (classical "forgot your password" functionality).
|
||||
|
||||
Note, however, that somebody with the private code could have changed
|
||||
the email address in the settings at any time.
|
||||
|
|
|
|||
|
|
@ -479,8 +479,8 @@ class Project(db.Model):
|
|||
:param token_type: Either "auth" for authentication (invalidated when project code changed),
|
||||
or "reset" for password reset (invalidated after expiration),
|
||||
or "feed" for project feeds (invalidated when project code changed)
|
||||
:param project_id: Project ID. Used for token_type "auth" to use the password as serializer
|
||||
secret key.
|
||||
:param project_id: Project ID. Used for token_type "auth" and "feed" to use the password
|
||||
as serializer secret key.
|
||||
:param max_age: Token expiration time (in seconds). Only used with token_type "reset"
|
||||
"""
|
||||
loads_kwargs = {}
|
||||
|
|
|
|||
Loading…
Reference in a new issue