diff --git a/docs/security.md b/docs/security.md index 51944b33..d4913856 100644 --- a/docs/security.md +++ b/docs/security.md @@ -11,18 +11,19 @@ expenses in the first place! That being said, there are a few mechanisms to limit the impact of a malicious member and to manage changes in membership (e.g. ensuring that a previous member can no longer access the project). But these -mechanisms don\'t prevent a malicious member from breaking things in +mechanisms don't prevent a malicious member from breaking things in your project! ## Security model -A project has three main parameters when it comes to security: +A project has four main parameters when it comes to security: - **project identifier** (equivalent to a \"login\") - **private code** (equivalent to a \"password\") -- **token** (cryptographically derived from the private code) +- **auth token** (cryptographically derived from the private code) +- **feed token** (also cryptographically derived from the private code) -Somebody with the private code can: +Somebody with the **private code** can: - access the project through the web interface or the API - add, modify or remove bills @@ -31,7 +32,7 @@ Somebody with the private code can: - change the email address associated to the project - change the private code of the project -Somebody with the token can manipulate the project through the API to do +Somebody with the **auth token** can manipulate the project through the API to do essentially the same thing: - access the project @@ -40,10 +41,13 @@ essentially the same thing: - change the email address associated to the project - change the private code of the project -The token can also be used to build \"invitation links\". These links +The auth token can also be used to build "invitation links". These links allow to login on the web interface without knowing the private code, see below. +Somebody with the **feed token** can only access a read-only view of the project +through a RSS feed (at `//feed/.xml`). + ## Giving access to a project There are two main ways to give access to a project to a new person: @@ -57,25 +61,33 @@ The second method is interesting because it does not reveal the private code. In particular, somebody that is logged-in through the invitation link will not be able to change the private code, because the web interface requires a confirmation of the existing private code to change -it. However, a motivated person could extract the token from the +it. However, a motivated person could extract the auth token from the invitation link, use it to access the project through the API, and change the private code through the API. ## Removing access to a project If a person should no longer be able to access a project, the only way -is to change the private code. +is to change the private code for the whole project. -This will also automatically change the token: old invitation links -won\'t work anymore, and anybody with the old token will no longer be -able to access the project through the API. +This will prevent anybody from logging in with the old private code. +However, anybody with an existing session cookie will still have +access to the project. This is a [known issue](https://github.com/spiral-project/ihatemoney/issues/857) +that should be fixed. + +Changing the private code will automatically change the auth token: +old invitation links won't work anymore, and anybody with the old token +will no longer be able to access the project through the API. + +This will also automatically change the feed token, so that existing +links to the RSS feed for the project will no longer work. ## Recovering access to a project If the private code is no longer known, the creator of the project can still recover access. He/she must have provided an email address when creating the project, and Ihatemoney can send a reset link to this email -address (classical \"forgot your password\" functionality). +address (classical "forgot your password" functionality). Note, however, that somebody with the private code could have changed the email address in the settings at any time. diff --git a/ihatemoney/models.py b/ihatemoney/models.py index c3d72dc8..74170fef 100644 --- a/ihatemoney/models.py +++ b/ihatemoney/models.py @@ -479,8 +479,8 @@ class Project(db.Model): :param token_type: Either "auth" for authentication (invalidated when project code changed), or "reset" for password reset (invalidated after expiration), or "feed" for project feeds (invalidated when project code changed) - :param project_id: Project ID. Used for token_type "auth" to use the password as serializer - secret key. + :param project_id: Project ID. Used for token_type "auth" and "feed" to use the password + as serializer secret key. :param max_age: Token expiration time (in seconds). Only used with token_type "reset" """ loads_kwargs = {}