debate-map / app

Monorepo for the client, server, etc. of the Debate Map website.
https://debatemap.app
MIT License
73 stars 16 forks source link

Graphql function to get the user's debatemap Id from a Google Id. #248

Closed maparent closed 11 months ago

maparent commented 11 months ago

Needed for claimminer user sync. There is a minor security risk in that, if an attacker has someone's googleId (which should not be easy) they can determine whether that person is registered in debateMap, and what their public activity was. Given that public activity already gives the person's name, I think this is acceptable.

Venryx commented 11 months ago

Regarding the minor security risk, my suggestion: Require that the proposed endpoint be supplied with a special JWT, which we only share with trusted projects that need to do user matching/synchronization (eg. claim-miner).

This way, it cannot as easily be turned into an attack vector. (eg. someone DMs a target user with a link to a fake debate-related website, which on sign-in collects their google-id, in order to then unmask their identity+activity on the debate-map platform)

EDIT: Regarding the person's name, the user is able to edit that from their profile page, so that is less of a concern than their google-id, which cannot be changed AFAIK. The proposed endpoint seems fine to me though, with the added JWT requirement described above. (we can use a very long expiry time; a never-expiring but also never-knowingly-publicly-shared JWT is still much better than none at all)