Ghost icon indicating copy to clipboard operation
Ghost copied to clipboard

Published 20 hours ago verified publisher icon TryGhost

Impersonation tokens do signup action if no account is found

Open Johnnyyyy1234 opened this issue 3 years ago • 2 comments

Issue Summary

When a user is deleted it is expected that all tokens associated with that account are revoked. This is currently not the case.

Creating a token before deleting a user creates the account again when pasted into the browser.

Steps to Reproduce

  1. Create an access token for an account.
  2. Delete that account.
  3. Paste that token into your browser.
  4. User is created again.

The user should NOT be created again and all tokens should be revoked when a user is deleted.

Ghost Version

4.44.0

Node.js Version

16.14.2

How did you install Ghost?

OS - Debian 11 with MariaDB 10.5.15

Database type

MySQL 8

Browser & OS version

No response

Relevant log / error output

No response

Code of Conduct

  • [X] I agree to be friendly and polite to people in this repository

Johnnyyyy1234 avatar Apr 18 '22 22:04 Johnnyyyy1234

Hey there @guidefox. Ghost's magic links are based on JWTs, the tokens aren't stored and there's not really a concept of revocation here. What's happening is that the magic link has a fall back behaviour of creating a new account if no matching account is found.

I realise that's a little jarring, but it's a brand new account that is created, not an old one being restored.

I think it would make sense to pin the impersonation links to only be allowed to do signin, rather than falling back to signup, to make this a little less weird.

ErisDS avatar May 23 '22 11:05 ErisDS

Ah, that makes more sense. I think that the current behavior can be improved because it is a little bit jarring right now.

Perhaps a dedicated button for having impersonation tokens re-create the account instead of doing it automatically would be a better solution.

And maybe make the tokens one use only? or at least provide the option to have it expire after one use.

Johnnyyyy1234 avatar May 25 '22 05:05 Johnnyyyy1234

Our bot has automatically marked this issue as stale because there has not been any activity here in some time.

The issue will be closed soon if there are no further updates, however we ask that you do not post comments to keep the issue open if you are not actively working on a PR.

We keep the issue list minimal so we can keep focus on the most pressing issues. Closed issues can always be reopened if a new contributor is found. Thank you for understanding 🙂

github-actions[bot] avatar Sep 22 '22 15:09 github-actions[bot]

This has cropped up in other forms recently, and is something we intend to prioritise fixing in our next bug purge.

ErisDS avatar Sep 28 '22 16:09 ErisDS