panel icon indicating copy to clipboard operation
panel copied to clipboard

Published 20 hours ago verified publisher icon pterodactyl

Still lets you have console access after changing account password or deleting your account

Open CodesterDubs opened this issue 1 year ago • 7 comments

Current Behavior

I changed my panel user account password from another browser on Account B. I was on console with Account A and if I don't refresh the page, I can still send console commands until I refresh the page. The same thing happens if I delete Account A while on console.

Expected Behavior

It should log you out of the panel as soon as your password is changed or account deleted without having to refresh the page.

Steps to Reproduce

Have two accounts and two browsers. On one account, open console of a running server. On the other account, go to the users admin page and change the password or delete the account. The other account will still have access to send commands in the console of the server.

Panel Version

1.11.5

Wings Version

1.11.8

Games and/or Eggs Affected

No response

Docker Image

No response

Error Logs

No response

Is there an existing issue for this?

  • [x] I have searched the existing issues before opening this issue.
  • [X] I have provided all relevant details, including the specific game and Docker images I am using if this issue is related to running a server.
  • [X] I have checked in the Discord server and believe this is a bug with the software, and not a configuration issue with my specific system.

CodesterDubs avatar Feb 23 '24 23:02 CodesterDubs

When the token rotates, it should invalidate.

notAreYouScared avatar Feb 24 '24 19:02 notAreYouScared

When the token rotates, it should invalidate.

That's what I would think it should do. See the recording attatched. https://medal.tv/games/minecraft/clips/1XgjCncf2YdTej/d1337AWBNdvV?invite=cr-MSxzb1YsMTc1MDg3NzMxLA

CodesterDubs avatar Feb 24 '24 19:02 CodesterDubs

The token only rotates every 10-15 minutes. When it expires / is about to expire, the panel needs to send auth details of the user. When you reload the page this happens immediately, you can see this when you have multiple tabs open and only reload one of those.

Sharktheone avatar Feb 25 '24 17:02 Sharktheone

Seems like a pretty major flaw, especially as people may sometimes reset a password or delete an account in order to immediately stop access to systems. Does the console still work when the user is deleted? Or is it just password updates?

camw0 avatar Feb 27 '24 13:02 camw0

Seems like a pretty major flaw, especially as people may sometimes reset a password or delete an account in order to immediately stop access to systems. Does the console still work when the user is deleted? Or is it just password updates?

It still works when the account is deleted

CodesterDubs avatar Feb 27 '24 14:02 CodesterDubs

Why aren't sessions invalidated / tokens regenerated upon account deletion? Seems like the obvious thing to do

camw0 avatar Mar 04 '24 09:03 camw0

Yeah that's what I would have thought too but apparently not...

CodesterDubs avatar Mar 04 '24 11:03 CodesterDubs