Do not pass auth tokens in URL parameters!

vsivsi / meteor-file-collection

Extends Meteor Collections to handle file data using MongoDB gridFS.

http://atmospherejs.com/vsivsi/file-collection

Other

159 stars 37 forks source link

Do not pass auth tokens in URL parameters! #97

Open crapthings opened 8 years ago

crapthings commented 8 years ago

we are using cordova inappbrowser to opening doc file that can be viewed by system browser

http://ip:3000/res/docs/d41d8cd98f00b204e9800998ecf8427e?download=true&filename=%E6%B6%89%E7%A8%8E%E9%89%B4%E8%AF%81%E4%B8%9A%E5%8A%A1%E7%BA%A6%E5%AE%9A%E4%B9%A6.doc

because it open native browser so user have to login to download file

can we pass authtoken in querystring so we can download file ?

cordova.InAppBrowser.open(`http://ip:3000/res/docs/d41d8cd98f00b204e9800998ecf8427e?download=true&filename=%E6%B6%89%E7%A8%8E%E9%89%B4%E8%AF%81%E4%B8%9A%E5%8A%A1%E7%BA%A6%E5%AE%9A%E4%B9%A6.doc&token=${token}`, '_system')

crapthings commented 8 years ago

something like this ?

handle_auth = (req, res, next) ->
  unless req.meteorUserId?
     # Lookup userId if token is provided in HTTP header
     if req.headers?['x-auth-token']?
        req.meteorUserId = lookup_userId_by_token req.headers['x-auth-token']
     # Or as a URL query of the same name
     else if req.cookies?['X-Auth-Token']?
        req.meteorUserId = lookup_userId_by_token req.cookies['X-Auth-Token']
     else if req.query?['xauthtoken']?
        req.meteorUserId = lookup_userId_by_token req.query['xauthtoken']
        do next if req.meteorUserId is not null
     else
        req.meteorUserId = null
  next()

vsivsi commented 8 years ago

Hi, passing the auth token in a user visible URL parameter is highly insecure, and violates good security practices. The auth token allows the bearer full access to the user account. So, for example, if a user copies such a link into an email, or posts it into a public message board, they will have just given the recipients full access to their account, up to and including the ability to change the password and take full control of the account.

Using a Meteor Authentication Token in this way is _highly insecure_!

crapthings commented 8 years ago

how about using file access token

vsivsi commented 8 years ago

Sure, you can create your own per file random tokens, store them in the file metadata, and then write allow rules to check an url parameter against that stored token. That will work great so long as you don't care if the user accessing the file has an account on the server (i.e. knowing the file token is sufficient for your application). That's probably good enough for many purposes because the secret only grants access to one file, and can be easily removed by simply removing or replacing the token in the file metadata.

There are some examples like this here: http://github.com/vsivsi/meteor-file-collection#configuring-http-methods