Open crapthings opened 8 years ago
something like this ?
handle_auth = (req, res, next) ->
unless req.meteorUserId?
# Lookup userId if token is provided in HTTP header
if req.headers?['x-auth-token']?
req.meteorUserId = lookup_userId_by_token req.headers['x-auth-token']
# Or as a URL query of the same name
else if req.cookies?['X-Auth-Token']?
req.meteorUserId = lookup_userId_by_token req.cookies['X-Auth-Token']
else if req.query?['xauthtoken']?
req.meteorUserId = lookup_userId_by_token req.query['xauthtoken']
do next if req.meteorUserId is not null
else
req.meteorUserId = null
next()
Hi, passing the auth token in a user visible URL parameter is highly insecure, and violates good security practices. The auth token allows the bearer full access to the user account. So, for example, if a user copies such a link into an email, or posts it into a public message board, they will have just given the recipients full access to their account, up to and including the ability to change the password and take full control of the account.
Using a Meteor Authentication Token in this way is _highly insecure_!
how about using file access token
Sure, you can create your own per file random tokens, store them in the file metadata, and then write allow
rules to check an url parameter against that stored token. That will work great so long as you don't care if the user accessing the file has an account on the server (i.e. knowing the file token is sufficient for your application). That's probably good enough for many purposes because the secret only grants access to one file, and can be easily removed by simply removing or replacing the token in the file metadata.
There are some examples like this here: http://github.com/vsivsi/meteor-file-collection#configuring-http-methods
we are using cordova inappbrowser to opening doc file that can be viewed by system browser
because it open native browser so user have to login to download file
can we pass authtoken in querystring so we can download file ?