fix(security): require authentication for the credential check endpoint#323
Open
Isaries wants to merge 1 commit into
Open
fix(security): require authentication for the credential check endpoint#323Isaries wants to merge 1 commit into
Isaries wants to merge 1 commit into
Conversation
The endpoint that verifies a username and password was reachable without authentication and returned the account's id and real name for any valid username, letting an anonymous caller brute-force passwords and harvest user ids and real names by probing usernames. Require an authenticated user, and only return the account id and name after the correct password has been supplied. The team sign-in flow, the only caller, already runs in an authenticated session and reads those fields only after a successful check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The credential check endpoint required no authentication and always returned the account id and real name for any valid username, even when the password was wrong. This let anyone harvest user ids and real names by probing usernames. This requires authentication and only returns the identity fields once the correct password has been provided.
Changes
@Secured("ROLE_USER")to the credential check method.userId,username,firstNameandlastNamein the response when the password is valid.Testing
mvnw package).