Comments (3)
You're correct, thanks for bringing this up. I believe it's a tradeoff we're doing right now, to ease the life of the users.
Some more context:
- the
id
of the project is not secret, and is not shared with other services, so for instance a leak of a database wouldn't be usable with other leaked databases (like we see for usernames/emails)
Mitigations:
- We have a protection in place for logins, but only used for
/admin
, so I wonder if we should also protect other resources, and if that would be enough to mitigate this. - Always present the authenticator page, even when the project doesn't exist.
- Never present the authenticator page, even when the project exists, and always redirect to the front page.
What do you think?
from ihatemoney.
We want to display the authentication page in all cases, and ideally merge the project creation form with the one from the homepage.
from ihatemoney.
Sorry for the late reply, that would be better in term of security,
from ihatemoney.
Related Issues (20)
- Mobile web UX improvements HOT 3
- CSRF Token HOT 2
- Can't access my project anymore, says it doesn't exist HOT 6
- Deprecate 'latest' tag on docker hub HOT 2
- Werkzeug 2.3 incompatibility: AttributeError: 'NoneType' object has no attribute 'lower' HOT 4
- Use the ActivityPub protocol to federate usage across ihatemoney instances HOT 3
- Change project password as admin without knowing the old one HOT 1
- If I add something the confirmation overlay is over new entry
- E-Mail with the internal IP HOT 2
- Changing any settings is prevented when project has existing currency HOT 2
- Bill Type: Invalid Choice: could not coerce. HOT 3
- Adding invalid reimbursements can cause the debt solver to fail HOT 2
- Cannot install in dev mode with python 3.12 HOT 4
- Find a consistent name for the new "reimbursement" / "settlement" / "transfer" bill type HOT 8
- CSRF Token: The CSRF tokens do not match. HOT 1
- Figure out how to generate correct URLs in emails
- Feature request: users and permissions HOT 2
- Login with wrong password
- [Question] HOW to access the admin dashboard ? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ihatemoney.