Closed marshallswain closed 7 years ago
For initial login, securing the login/logout events to the current socket connection is problematic. If we consider that we have two pages:
Before we authenticate the user, we don't have a method of marking the socket connections as belonging to the user. So when we get successful auth on the "success redirect" page, we can't target the main app page because its socket is still anonymous.
We might be able to make this happen if we setup a way of authenticating anonymous users.
feathers-jwt
cookielogin
event to any socket.io connection containing the anonymous user inside the cookie. The main app page will receive this notification and can update its stored token.@marshallswain can you not just:
You shouldn't have to try and notify the socket in the parent window from server to client that they are authenticatd.
@ekryski That's what I was originally looking at doing, but I couldn't figure out how to get a reference to the parent window again after all of the redirects.
Did you look at how Auth0 does it in their lock repo?
Nope. Good idea.
There's a potential CSRF-related security concern with trusting the cookie, but I believe the likelihood of being able to pull it off is close to impossible as long as XSS attacks are properly avoided. The perpetrator, at domain attacker.com
would have to open a socket connection to the API server after the anonymous user token has been created. This would then allow the socket connection from attacker.com
to receive the new auth information.
But really, if there's an XSS issue on the page, why not just skim the token from localStorage or the cookie.
Closing this for now. This might be a priority in the future, but I have the OAuth popups working, now, without this.
We can take advantage of the realtime socket events to handle sessions. We don't want to broadcast the event to everybody in some apps, so we need to be able to secure it.