Don't return `multinet` field in user info response

multinet-app / multinet-server

Multinet server application

https://multinet-app.readthedocs.io

Apache License 2.0

4 stars 2 forks source link

Don't return `multinet` field in user info response #394

Closed jjnesbitt closed 2 years ago

jjnesbitt commented 4 years ago

Currently, in our /user/info endpoint, we return the user info, along with our tacked on multinet field of the following form:

multinet: {
  session: String
}

There's really no reason to include this in the api response, as the state of being logged in/logged out is kept as a cookie in the browser, and shouldn't need to be accessed programmatically.

jjnesbitt commented 4 years ago

We've since expanded the use of users, and this is now a security issue. Due to user search and permissions, it's now possible to see the session token of other users, either by searching and looking at the returned object, or by observing the returned permissions data on a workspace that you're at least a maintainer of. This could then be used to sign in as that user.