lol768
commented
7 years ago https://ore.spongepowered.org/ appears to be using this for auth, as do the forums.
Did this audit take place? If so, are the results published anywhere?
Open progwml6 opened 7 years ago
lol768
commented
7 years ago https://ore.spongepowered.org/ appears to be using this for auth, as do the forums.
Did this audit take place? If so, are the results published anywhere?
windy1
commented
7 years ago No, are you volunteering @lol768 ? :P
I can't really do it myself since I designed the application. Note: I have some local changes already implementing some of your suggestions, will deploy a build soon.
lol768
commented
7 years ago Haha, I don't mind looking at parts of Ore/Auth as I get the chance but I can't promise to look at it all.
I'll be interested to see your commits as they're made, @windy1
Before we have discourse & ore use this for auth we will need to do an internal security audit to ensure that all endpoints require the necessary fields, that PII isn't exposed when it shouldn't be, etc. We should likely make sure that the tests in the repo have all of these tests.
This includes unlikely endpoint combinations & workflows.
IMPORTANT NOTE: This security review & the review of the tests should take place using developers who have not coded the project already