search

ThexXTURBOXx / flutter_web_auth_2

Flutter plugin for authenticating a user with a web service
https://pub.dev/packages/flutter_web_auth_2
MIT License
53 stars 54 forks source link

Issues expected when receiving access token as query parameters #61

Closed dbstn1325 closed 1 year ago

dbstn1325 commented 1 year ago

If an access_token is transferred as a query parameter from a separate server (for example, a spring boot), this method appears to be at risk of being stolen before receiving the token from the flutter. By any chance, Uri.parse(result).Is there a way to get the data delivered to .body instead of .queryParameters??

ThexXTURBOXx commented 1 year ago

What do you mean by "being stolen"? Alas, it is not possible to deliver the token through the body since it is not received through any of the interfaces.

dbstn1325 commented 1 year ago

I actually may can be unfamiliar with 'getting access_token from outside to queryParameters' and 'how callbackUrlScheme works'.

What I am worried about and want to ask is below.

  1. I think that sending sensitive information such as 'access_token' to query parameters in URLs can pose several security risks.

For example, 1-1. Wouldn't there be a security threat when HTTP communication itself is hijacked?? (Because URLs are often logged in a variety of locations, including server logs, browser history, and analysis tools. 'access_token' is logged even if it is part of the URL, so the token may be exposed to unauthorized users.)

1-2. MITM attack: Even if communication is encrypted using HTTPS, wouldn't an attacker be able to intercept communication and extract access_token from the URL??

  1. Wouldn't callbackUrlScheme eventually do HTTP communication, too? If so, wouldn't the possibility of problem 1-1 still be valid??

Thank you for listening to my opinion and I will listen to your answer carefully

ThexXTURBOXx commented 1 year ago

This is a great article about exactly this issue: https://blog.httpwatch.com/2009/02/20/how-secure-are-query-strings-over-https/

If you are using HTTP, don't. Yes, when using HTTPS, an attacker can intercept the packet, but still not extract the query parameters. However, as explained in the article, there are a few more things that could go wrong. Luckily, they are all on the server-side and hence it is still secure since we are on the client-side when using HTTPS.

But as already said, HTTP is inherently insecure and that by all means. Because of this, you should avoid it at all costs when doing anything with sensitive information.

ThexXTURBOXx commented 1 year ago

Since there is no way for me to accomplish anything else, I think I can safely close this issue. If you disagree, please let me know and I will reopen the issue :)