meteor-file-collection icon indicating copy to clipboard operation
meteor-file-collection copied to clipboard

Published 20 hours ago verified publisher icon vsivsi

Do not pass auth tokens in URL parameters!

Open crapthings opened this issue 9 years ago • 4 comments

we are using cordova inappbrowser to opening doc file that can be viewed by system browser

http://ip:3000/res/docs/d41d8cd98f00b204e9800998ecf8427e?download=true&filename=%E6%B6%89%E7%A8%8E%E9%89%B4%E8%AF%81%E4%B8%9A%E5%8A%A1%E7%BA%A6%E5%AE%9A%E4%B9%A6.doc

because it open native browser so user have to login to download file

can we pass authtoken in querystring so we can download file ?

cordova.InAppBrowser.open(`http://ip:3000/res/docs/d41d8cd98f00b204e9800998ecf8427e?download=true&filename=%E6%B6%89%E7%A8%8E%E9%89%B4%E8%AF%81%E4%B8%9A%E5%8A%A1%E7%BA%A6%E5%AE%9A%E4%B9%A6.doc&token=${token}`, '_system')

crapthings avatar Mar 30 '16 06:03 crapthings

something like this ?

handle_auth = (req, res, next) ->
  unless req.meteorUserId?
     # Lookup userId if token is provided in HTTP header
     if req.headers?['x-auth-token']?
        req.meteorUserId = lookup_userId_by_token req.headers['x-auth-token']
     # Or as a URL query of the same name
     else if req.cookies?['X-Auth-Token']?
        req.meteorUserId = lookup_userId_by_token req.cookies['X-Auth-Token']
     else if req.query?['xauthtoken']?
        req.meteorUserId = lookup_userId_by_token req.query['xauthtoken']
        do next if req.meteorUserId is not null
     else
        req.meteorUserId = null
  next()

crapthings avatar Mar 30 '16 10:03 crapthings

Hi, passing the auth token in a user visible URL parameter is highly insecure, and violates good security practices. The auth token allows the bearer full access to the user account. So, for example, if a user copies such a link into an email, or posts it into a public message board, they will have just given the recipients full access to their account, up to and including the ability to change the password and take full control of the account.

Using a Meteor Authentication Token in this way is _highly insecure_!

vsivsi avatar Mar 30 '16 14:03 vsivsi

how about using file access token

crapthings avatar Mar 31 '16 01:03 crapthings

Sure, you can create your own per file random tokens, store them in the file metadata, and then write allow rules to check an url parameter against that stored token. That will work great so long as you don't care if the user accessing the file has an account on the server (i.e. knowing the file token is sufficient for your application). That's probably good enough for many purposes because the secret only grants access to one file, and can be easily removed by simply removing or replacing the token in the file metadata.

There are some examples like this here: http://github.com/vsivsi/meteor-file-collection#configuring-http-methods

vsivsi avatar Mar 31 '16 02:03 vsivsi