Opened 2 years ago
Closed 2 years ago
#1327 closed defect (fixed)
OAuth: unauthorized token handling
| Reported by: | jmonnich | Owned by: | arescope |
|---|---|---|---|
| Priority: | high | Milestone: | v1.1 |
| Component: | Security | Version: | 1.1 |
| Keywords: | Cc: |
Description
The API does not check if the access token has been authorized by the user. This would allow e.g. a rogue app (which of course needs to be added by indico admins nowadays so it's not really exploitable) to silently start the authentication flow and then use the token without the user ever authorizing it.
Additionally an unauthorized token should not be shown in the user's oauth token list yet.
Change History (6)
comment:1 Changed 2 years ago by jmonnich
- Owner set to arescope
- Status changed from new to assigned
comment:2 Changed 2 years ago by arescope
- Milestone set to v1.1
comment:3 Changed 2 years ago by arescope
- Status changed from assigned to in_work
comment:4 Changed 2 years ago by arescope
- Status changed from in_work to awaiting_merge
comment:5 Changed 2 years ago by jbenito
- Status changed from awaiting_merge to merging
comment:6 Changed 2 years ago by jbenito
- Resolution set to fixed
- Status changed from merging to closed
Note: See
TracTickets for help on using
tickets.
branch 1313-1321-1326-1327-several-1.1-fixes