search

passport / www.passportjs.org

The official website of Passport.js.
https://www.passportjs.org
45 stars 68 forks source link

Update list of strategies #32

Closed ghaiklor closed 3 years ago

ghaiklor commented 9 years ago

How we can update strategies list?

For example, I have a lot of strategies that allows authenticate user in social networks by access token received from mobile application (it's clean REST API, so that's why I'd created strategies for this).

How can I create PR or something to add those one to strategies list ?

jaredhanson commented 9 years ago

To start, put links to them here. I'll make sure they are indexed for search

Sent from my iPhone

On Jun 23, 2015, at 2:42 AM, Eugene Obrezkov notifications@github.com wrote:

How we can update strategies list?

For example, I have a lot of strategies that allows authenticate user in social networks by access token received from mobile application (it's clean REST API, so that's why I'd created strategies for this).

How can I create PR or something to add those one to strategies list ?

— Reply to this email directly or view it on GitHub.

ghaiklor commented 9 years ago

@jaredhanson thanks, here the list https://github.com/drudge/passport-facebook-token https://github.com/drudge/passport-twitter-token https://github.com/ghaiklor/passport-yahoo-token https://github.com/ghaiklor/passport-google-plus-token https://github.com/ghaiklor/passport-amazon-token https://github.com/ghaiklor/passport-yandex-token https://github.com/ghaiklor/passport-twitch-token https://github.com/ghaiklor/passport-windows-live-token https://github.com/ghaiklor/passport-soundcloud-token https://github.com/ghaiklor/passport-reddit-token https://github.com/ghaiklor/passport-paypal-token https://github.com/ghaiklor/passport-instagram-token https://github.com/ghaiklor/passport-github-token https://github.com/ghaiklor/passport-foursquare-token https://github.com/ghaiklor/passport-vkontakte-token

ghaiklor commented 9 years ago

@jaredhanson so what with this task? Can we close it or it still not added to passport strategies ?

jaredhanson commented 9 years ago

Many (most?) of these strategies are insecure and vulnerable to token substitution attacks. There is no check that the client presenting the token is the client that was issued the token. This is especially critical for bearer tokens issued via OAuth 2.0.

I started a branch of passport-facebook-token a while back that illustrates the fix: https://github.com/jaredhanson/passport-facebook-token/blob/check-audience/lib/passport-facebook-token/strategy.js#L186

I'll add them to the list when the vulnerabilities are fixed.

ghaiklor commented 9 years ago

@jaredhanson passport-facebook-token is updated.

https://github.com/drudge/passport-facebook-token/blob/master/src/index.js#L112

And enableProof is enabled by default.

ghaiklor commented 9 years ago

@jaredhanson passport-twitter-token is also use checking for consumerKey and secret.

But how can I implement this for other social networks? I can't find any information about this in their docs.

ghaiklor commented 3 years ago

Closing this one as stale