Closed Akilditu closed 6 months ago
Perhaps an idea in the long term:
Thanks for opening this issue and for the proposals above. Letting the token expire after 24 hours might indeed be a solution (which I prefer to having the user log in every hour to be honest).
But I was wondering whether we may have an alternative by providing two options to renew the token:
the usual one with complete credentials;
and another one that would use a sort of admin-only key (something that only Pyronear members would have, like the secret environment variables that this repo uses). This could be something like:
client.refresh_token(user_ID=user_ID, admin_key=key)
Which would yield a new token, specific to the user's scope, without requiring full credentials. This second option would only be used by the platform to renew the user's token every hour.
From a security perspective, we cannot go with your 2nd proposal
As of now, device are the only type of access with non-expiring tokens
Also:
That being said, I prefer to change the default expiration of tokens for some access scope than setting them to unlimited. I was actually thinking about switching back to expiring token for device (setting it to a month and adding a mechanism to request a new token each time).
Something to keep in mind:
The potential consequences of someone capturing an unexpiring token with, say, admin scope are disastreous :
From a security perspective, we cannot go with your 2nd proposal
Thanks a lot for your reply!
But to be honest, I am not sure to clearly see the arguments in favour of your conclusion.
You explain that having unexpiring tokens would lead to security issues, especially with the admin scope. Although I understand this very well, I was not proposing to have unexpiring tokens.
To put it very simply, my proposal would be:
In that case, if someone captures a token, this person does not have unlimited access to the database, it only has for 1 hour. To have unlimited access to the database, one would need either the credentials corresponding to the token captured or the admin credentials. Note that already in the current situation, someone with credentials has an unlimited access to (part of) the database.
admin credentials or some kind of admin authentication allow to refresh any token, be it a user or admin scope.
About that part, the current token is generated with some content (access ID + the scope + expiration timestamp). But even an admin cannot guess the access ID of a user without having the login for instance.
However, if I understand your suggestion:
Is that correct? I must admit I don't really see the point if so, because then you'll need to store the credentials for the admin token somewhere :man_shrugging: But maybe I'm misunderstanding
Fix with new platform version
Hi Everyone,
For now this "patch solution" has been adopted (#85) to keep users's sessions alive once logged :
The main purpose was to maintain minimal alert screen's broadcast "forever" but this also leads to a lack of security.
Some options would be to