Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: update the SSO process #523

Merged
merged 1 commit into from
Feb 11, 2025
Merged

security: update the SSO process #523

merged 1 commit into from
Feb 11, 2025

Conversation

judu
Copy link
Member

@judu judu commented Feb 10, 2025

After receiving a privsec breach report, we updated our SSO process. This fixes the main issues:

  • Add-on APIs using the example password and sso_salt from this documentation
  • The token is not signing all the fields that we send to the SSO URL. You can impersonate a user by using their email.

The email has never be documented as a secure identification method, but some providers used it anyway. It’s best to acknowledge the breach and sign the whole body.

Checklist

Reviewers

@ssauvin

@judu
security: update the SSO process
799a499 
After receiving a privsec breach report, we updated our SSO process.
This fixes the main issues:
- Add-on APIs using the example password and sso_salt from this
  documentation
- The `token` is not signing all the fields that we send to the SSO URL.
  You can impersonate a user by using their email.

The email has never be documented as a secure identification method, but
some providers used it anyway. It’s best to acknowledge the breach and
sign the whole body.
@judu judu temporarily deployed to PR review apps February 10, 2025 14:25 — with GitHub Actions Inactive
@judu judu requested a review from ssauvin February 10, 2025 14:25
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 10, 2025
edited
Loading

👋` Review app deleted

You closed this PR and deleted the review app.

ssauvin
ssauvin approved these changes Feb 10, 2025
View reviewed changes
Copy link

@ssauvin ssauvin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok for me, thank you!

@davlgd davlgd merged commit e638e20 into main Feb 11, 2025
4 checks passed
@davlgd davlgd deleted the judu/document-security-fix-for-marketplace-api branch February 11, 2025 16:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ssauvin ssauvin ssauvin approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@judu @ssauvin @davlgd