8000 Old tokens are not replaced or set invalid · Issue #1437 · wekan/wekan · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Old tokens are not replaced or set invalid #1437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Gobliins opened this issue Jan 25, 2018 · 5 comments
Open

Old tokens are not replaced or set invalid #1437

Gobliins opened this issue Jan 25, 2018 · 5 comments
Labels
API:REST Severity:Security
Milestone
Add/Remove/Bugs

Comments

@Gobliins
Copy link
Gobliins commented Jan 25, 2018
edited
Loading

When a new token is generated: by logging in with something like this:
curl http://127.0.0.1:24000/users/login -d "username=name&password=123"

You get a token for the auth to use the Rest API.

When i login in again to get a new Token, the old Token is still accepted as valid.

Shouldn`t the old token not be replaced by the new Token or set as invalid?

Come to think of it... the auth / login stuff is done by which package (is it https://atmospherejs.com/simple/rest-accounts-password ? ) ?
@xet7 xet7 added the API:REST label Jan 30, 2018
@Gobliins
Copy link
Author
Gobliins commented Jan 31, 2018
edited
Loading

Ok i did some research, the login tokens are stored under resume.loginTokens and you can config the expiration with a setting loginExpirationInDays where null or 0 means, never delete tokens.

What does this mean:
-Rest API acquired Tokens are not separated from normal GUI login tokens
-Deleting / replacing tokens can therefore be problematic
-To do this however, either there has to be a way to hook into the login / logout method
-or write a seperate logout method (api endpoint) which deletes the tokens

So, if you want, you can close this or if you think token handling is fine this way. And all in all this is an issue of https://atmospherejs.com/simple/rest-accounts-password.

I just wanted to give you the information i gathered.

@xet7 xet7 added this to the 2018-08-31 P+FX milestone Jun 24, 2018
@MonkeyNinja
Copy link

Is there a way to 'logout' the api? - I can't see one listed and various things I've tried don't seem to log the account out And this issue here, hints that I have probably created 50+ valid tokens recently

@xet7
Copy link
Member
xet7 commented Jan 29, 2021

I would presume tokens are time limited. Someone could look at code how tokens are created, are they saved to database, how to remove those, etc. Pull requests welcome.

@MonkeyNinja
Copy link

Tokens created by the API seem to have a 3 month expiry, so if any token 'leaks' it does seem a potential security risk.

tokenExpires:"2021-04-29T10:52:22.234Z"

@AbdullahAlAsad
Copy link

There is another pressing issue. There is no way to set logout for 0Auth2
At Wekan REST API there is login https://github.com/wekan/wekan/wiki/REST-API#summary but not logout yet, so I maybe need to add logout url for Wekan?
What about this ?
Is it possible to implement to achieve something like this?
sudo snap set wekan oauth2-logout-endpoint='/logout'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
API:REST Severity:Security
Projects
None yet
Milestone
Add/Remove/Bugs
Development

No branches or pull requests
4 participants
@xet7 @MonkeyNinja @AbdullahAlAsad @Gobliins
0