search

yaseenkadir / etchedjournal

An encrypted journal where entries are etched in stone.
Apache License 2.0
0 stars 0 forks source link

Encrypter is not cleared when logging out #82

Closed yaseenkadir closed 5 years ago

yaseenkadir commented 5 years ago

STR

  1. Create 2 users with key pairs configured
  2. Login as user 1 and enter the passphrase to decrypt user 1s key
  3. Logout
  4. Login as user 2
  5. On the enter passphrase screen, navigate to /journals instead of entering the passphrase
  6. Gets stuck on Decrypting forever

When a user logs out, we don't clear the encrypter. When a user logs in again the encrypter is still set with the previous users keys.

Now we need to consider what happens with the keys when we log out.

Is it safe for us to just set the encrypter to be null? How long until it's garbage collected? Is it an issue if garbage collection takes some time?

Should we just reload and clear the page instead?

yaseenkadir commented 5 years ago

Lets just reload the page. We could definitely clear the encrypter on logout but I'm nervous that this vulnerability will come up another way.