Comments (2)
a) no way it can be true, as there was a 3 second delay between the two clicks
This error masks what really happened, which I believe was mozilla/webmaker-firehose#4
b) Seems wrong to me that the validity is specified in the query parameters
The validity param actually refers to how long the session cookie should be set for - it tells the browser to ask for a one-year cookie vs a session cookie. Since the cookie generation happens on the app server and not on the login server, it didn't seem necessary to handle that there (on the login server).
Also not sure why we're passing the uid through the query string.
The instant log in requires knowing the UID (username). Because the log in keys are only 10 characters long, an attacker could theoretically attempt to auth until they hit a valid token for any user, not worrying about also keying the attempt on a uid. Of course, rate limiting also plays a role in mitigating bad things like that.
from login.webmaker.org.
Cool. I'll follow the other thread. Thanks for the explanation!
from login.webmaker.org.
Related Issues (20)
- bugzilla link in readme is incorrect
- following readme instructions gives a DB error HOT 1
- update deps, move to 0.12.6+ HOT 1
- need to update sequelize, security vulnerability
- update to express 4.x
- Verifying user passwords takes a significant amount of time because we use bcrypt HOT 1
- Send out transactional emails to users 3 days after Webmaker install HOT 2
- fix all the warnings + errors for login on node 0.12 HOT 1
- bcrypt is breaking login.wmo on windows HOT 2
- Privacy policy & Terms of Service links need to be updated HOT 1
- less-middleware and rtltr-for-less were PoC and got deleted
- Password reset emails not received HOT 6
- Delete account function on /account broken HOT 1
- sqlite and jshint are breaking the build
- Update to node 8.x LTS HOT 1
- Migrate away from native bcrypt with Javascript bindings HOT 5
- Update Node.js
- Update dependencies HOT 1
- Wiki changes
- CODE_OF_CONDUCT.md file missing
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from login.webmaker.org.