jwerre
commented
3 years ago I love this idea. I'm going to outline the tests and push a new security branch to start the discussion.
Open jankapunkt opened 3 years ago
jwerre
commented
3 years ago I love this idea. I'm going to outline the tests and push a new security branch to start the discussion.
jwerre
commented
3 years ago I created a security branch and started outlining some of the tests here.
This is going to take some time and I'm not sure how much of this is going to be testable without a client but I think it's a good goal. I'll continue to outline the tests and hopefully those will generate some good discussions. Thanks again for bringing this up @jankapunkt
Uzlopak
commented
2 years ago Actually some interesting stuff. Like the authorization code should not be used multiple times, but if it is then revoke all access tokens based on the authorization code.
So some of these tests mean that we have to store some additional data, like a reference to the authorizationcode (code itself or e.g. a sha1 hash) in the access token) to be able to revoke all access tokens based on that authorization code in that case.
We should add tests to fully cover section 10 - security considerations and cover as much as possible that can be covered without going into implementation details.