surge icon indicating copy to clipboard operation
surge copied to clipboard

Published 20 hours ago verified publisher icon sintaxi

Revoke token

Open wd15 opened this issue 2 years ago • 5 comments

Can an existing token be revoked with the Surge CLI? surge token --help doesn't give any indications of possible sub-commands.

wd15 avatar Dec 01 '22 18:12 wd15

In light of Circle CI's security incident this would be really needed.

danielfdsilva avatar Jan 06 '23 10:01 danielfdsilva

I was digging through the code and found this:

https://github.com/sintaxi/surge/blob/32eaaa2c5731c20093c12fde4c92d58bacda377a/lib/middleware/util/helpers.js#L234

By doing a password reset on my account, I was able to get a new token after the password reset.

brint avatar Jan 11 '23 03:01 brint

@brint Unfortunately this does not revoke the old token. Here's how I tested it:

Got a token with surge token, logged out and reset the password. Tried the previously issued token by doing surge list --token <token> and it was still working.

danielfdsilva avatar Jan 13 '23 11:01 danielfdsilva

Bump

alexgleason avatar Jul 16 '23 23:07 alexgleason

I confirm that /token/reset doesn't reset the token.

curl -vvv -XPOST https://surge.surge.sh/token/reset/[my email here]

Got a 201 back (with no authentication whatsoever 🤯), but token remains the same.

If at least we got access to their API documentation, we would have a workaround until the CLI is fixed

mauricioklein avatar Aug 21 '23 08:08 mauricioklein