Closed techcobweb closed 1 month ago
@eamansour Does the above make sense ?
Eamonn Mansour:
Hi, yep the above story makes sense, just had a quick look and the refresh token in the bearer token file isn’t actually being used so removing it from the file won’t affect anything
Michael Cobbett: OK thanks.
Story
As a galasa user I don't want anyone to know my GALASA refresh token, so I do not want it stored with the JWT in the bearer-token.json file in my GALASA_HOME folder.
Background
The file currently contains
If someone got hold of a bearer token using just this file, they would be able to refresh it when it expired ? I guess they don't have the client ID or secret, but it would help them hack it if they were so inclined, and offers another attack vector which is avoidable?
We also need to be able to cope with existing bearer token files which contain the refresh token.
There are no external docs impacts.
Tasks