Open femisimon opened 7 years ago
shana
commented
7 years ago We have no way of knowing if the credentials are valid or not, the only validation we have is whether the server accepts them. If the server accepts them, they're valid 😛
@shiftkey @Haacked Have you seen this before? Is ghe just using the token as user ID and ignoring the username?
shiftkey
commented
7 years ago @shana
Is ghe just using the token as user ID and ignoring the username?
I would not be surprised if there's something in the auth flow where we look at the GHE token - there's cases where the username just isn't needed. You should be able to sniff the traffic with Fiddler and see the Authorization header that gets sent.
Description
Users with invalid login information should be restricted from logging into the user GHE account with a friendly message returned indicating why login failed. But currently users with invalid username and valid token and valid server can access a GHE account. Do we require just valid token and valid server to allow access to a GHE account?
Steps to reproduce
Expected - User login request should be rejected
Actual - User's login request and attempt is successful.
Extension Log
2016-10-23 21:16:36.1920|INFO|thread: 1|RepositoryHosts|Log in to ghe.io host 'http://ghe.io/api/v3/' with username 'kemisimon' SUCCEEDED 2016-10-23 21:16:39.9421|INFO|thread: 1|RepositoryHost|Logged off of host 'http://ghe.io/api/v3/' 2016-10-23 21:16:39.9421|INFO|thread: 1|LoginCache|Erasing the git credential cache for host 'http://ghe.io/' 2016-10-23 21:17:05.6471|INFO|thread: 1|RepositoryHost|Log in from cache for login 'femisimon' to host 'http://ghe.io/api/v3/' SUCCEEDED 2016-10-23 21:17:05.6471|INFO|thread: 1|RepositoryHosts|Log in to ghe.io host 'http://ghe.io/api/v3/' with username 'evilseeker' SUCCEEDED 2016-10-23 21:17:24.0110|INFO|thread: 1|RepositoryHost|Logged off of host 'http://ghe.io/api/v3/' 2016-10-23 21:17:24.0181|INFO|thread: 1|LoginCache|Erasing the git credential cache for host 'http://ghe.io/'