atomic-data-browser icon indicating copy to clipboard operation
atomic-data-browser copied to clipboard

Published 20 hours ago verified publisher icon atomicdata-dev

Improved cookie based auth

Open joepio opened this issue 3 years ago • 1 comments

Current implementation of cookie based auth #241 solves the most important issue (being able to view private images), but it still needs some improvements:

  • [ ] #278
  • [ ] Signed authentication should include expiration date. Otherwise, the signature / cookie can be re-used by malicious actors outside of the expiration date. https://github.com/atomicdata-dev/atomic-data-rust/issues/526
  • [ ] Use cookie authentication for file uploads, so we can get rid of signing individual HTTP requests. Note that this currently works on same-origin situations, but not cross.

joepio avatar Oct 26 '22 12:10 joepio

Cross origin cookies can't be set from JavaScript by design (major security risico), from what I can see only subdomains are a possibility. Proxying images through your own server seems like an easy solution.

By far the simplest way to invalidate authentication is to set a minimum timestamp and reject everything earlier. Though just adding an expiration is more robust.

rescribet avatar Oct 28 '22 12:10 rescribet