omi icon indicating copy to clipboard operation
omi copied to clipboard
verified publisher icon BasedHardware

Fix: Security Vulnerability - Chat Sessions Remain Accessible After Persona Set to Private

Open skywinder opened this issue 1 year ago • 5 comments

Description

This PR addresses the security vulnerability reported in issue #1970 where chat sessions remain accessible after a persona is set to private. The issue allowed unauthorized users to continue accessing chat history and interacting with a persona even after the owner had set it to private.

Changes Made

Added proper access control checks to all chat-related endpoints to ensure that when a persona is set to private, all associated chat sessions are immediately inaccessible to unauthorized users:

endpoints to check if the user has access to the persona before retrieving chat messages

Implementation Details

For each endpoint, I added a check that uses the existing get_available_app_by_id function, which already properly handles privacy checks. If the persona is private and the user doesn't have access, the endpoints now either:

  • Return an empty list (for GET requests)
  • Return a 403 Forbidden error (for POST/DELETE requests)

Testing

Tested the following scenarios:

  1. Creating a public persona and accessing it via direct link
  2. Setting the persona to private and verifying the link no longer works for unauthorized users
  3. Verifying the persona owner can still access the chat after setting it to private
  4. Verifying that testers (if any) can still access the chat

Closes #1970

skywinder avatar Mar 12 '25 22:03 skywinder

1/ first lets define what access, interaction should be allowed when the app is set to private. i think we should update the app as well ensure a seamless experience.

@skywinder

beastoin avatar Mar 15 '25 02:03 beastoin

ping me after 2 weeks (or when you are ready for changes)

/ draft

@skywinder

beastoin avatar Mar 17 '25 04:03 beastoin

/ closed

feel free to reopen it any time man.

beastoin avatar Mar 24 '25 23:03 beastoin

@thinhx

1/ First, let's define what access and interactions should be allowed when the app is set to private.

I assert that when a persona is set to private, all associated chat sessions and data must become immediately inaccessible to other users—this includes revoking active sessions and blocking any new ones from being initiated.

I think we should update the app as well to ensure a seamless experience.

We can iterate on improvements later, but this breach must be fixed on the production server immediately. Let’s move the broader discussion to Discord to align on the next steps.

skywinder avatar Apr 06 '25 14:04 skywinder

@skywinder man, have you tested the fixes yet ?

beastoin avatar Apr 07 '25 07:04 beastoin

hey man, it's cleaning time.

/ closed

3 days with no updates feel free to reopen it anytime

beastoin avatar Apr 14 '25 10:04 beastoin