[$250] Always mask auth tokens when exporting Onyx state

Expensify / App

Welcome to New Expensify: a complete re-imagination of financial collaboration, centered around chat. Help us build the next generation of Expensify by sharing feedback and contributing to the code.

https://new.expensify.com

MIT License

3.35k stars 2.78k forks source link

[$250] Always mask auth tokens when exporting Onyx state #47995

Open TMisiukiewicz opened 4 weeks ago

TMisiukiewicz commented 4 weeks ago

Problem

When exporting the Onyx state from the Troubleshoot section, sensitive information such as authToken and encryptedAuthToken are not masked by default. These tokens remain exposed until the "Mask fragile user data" option is explicitly enabled. This could lead to a security vulnerability, as anyone with access to the exported state file could potentially view or misuse these tokens.

Solution

To mitigate this risk, it should automatically mask authToken and encryptedAuthToken regardless of whether the "Mask fragile user data" option is enabled.

Upwork Automation - Do Not Edit

Upwork Job URL: https://www.upwork.com/jobs/~021838166767638673695
Upwork Job ID: 1838166767638673695
Last Price Increase: 2024-09-23

Issue Owner

Current Issue Owner: @

Issue Owner

Current Issue Owner: @muttmuure

TMisiukiewicz commented 4 weeks ago

cc @mountiny

melvin-bot[bot] commented 4 weeks ago

Current assignee @mountiny is eligible for the AutoAssignerNewDotQuality assigner, not assigning anyone new.

melvin-bot[bot] commented 4 weeks ago

📣 @kyy23! 📣 Hey, it seems we don’t have your contributor details yet! You'll only have to do this once, and this is how we'll hire you on Upwork. Please follow these steps:

Make sure you've read and understood the contributing guidelines.
Get the email address used to login to your Expensify account. If you don't already have an Expensify account, create one here. If you have multiple accounts (e.g. one for testing), please use your main account email.
Get the link to your Upwork profile. It's necessary because we only pay via Upwork. You can access it by logging in, and then clicking on your name. It'll look like this. If you don't already have an account, sign up for one here.
Copy the format below and paste it in a comment on this issue. Replace the placeholder text with your actual details. Format:
```
Contributor details
Your Expensify account email: <REPLACE EMAIL HERE>
Upwork Profile Link: <REPLACE LINK HERE>
```

goldman727 commented 4 weeks ago

Hello, TMisiukiewicz I can mask authToken and encryptedAuthToken automatically. please let me know if you allow me to do it.

muttmuure commented 6 days ago

Merged!

hoangzinh commented 1 day ago

@muttmuure it appears that we haven't processed payment for this issue. Can you double check it? Thank you

melvin-bot[bot] commented 1 day ago

Job added to Upwork: https://www.upwork.com/jobs/~021838166767638673695

melvin-bot[bot] commented 1 day ago

Current assignee @hoangzinh is eligible for the External assigner, not assigning anyone new.

muttmuure commented 1 day ago

Invited

hoangzinh commented 1 day ago

@muttmuure I haven't received the Upwork offer yet. Can you check it again? Thank you

muttmuure commented 1 day ago

Can you share your upwork profile?

hoangzinh commented 1 day ago

Sent you in Slack @muttmuure