[security] Generated tokens are broadcast to all socket clients (by default) #126

t2t2 · 2016-03-25T09:00:06Z

daffl · 2016-03-25T14:30:39Z

Oh dear. This can be fixed quickly though via:

app.service('auth/local').filter(() => false);

Which should probably be the default for all auth services (we don't need their events anwyay).
We were discussing turning off event dispatching by default so you have to enable it explicitly. It would be the more secure but also more confusing approach.

ekryski · 2016-03-25T14:39:51Z

👍 @t2t2 thanks for pointing it out. I was aware of this and have a note in the code but forgot to create an issue and completely forgot about it!

We'll get a fix in for this soon. In the mean time anyone can lock down their services by doing what @daffl mentioned.

ekryski added the Bug label Mar 26, 2016

ekryski modified the milestones: 1.0, 0.7 Mar 26, 2016

ekryski changed the title ~~Generated tokens are broadcast to all socket clients (by default)~~ [security] Generated tokens are broadcast to all socket clients (by default) Mar 26, 2016

ekryski mentioned this issue Mar 30, 2016

0.7 Release #139

Merged

17 tasks

ekryski closed this as completed in 44aa4c3 Mar 30, 2016

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security] Generated tokens are broadcast to all socket clients (by default) #126

[security] Generated tokens are broadcast to all socket clients (by default) #126

t2t2 commented Mar 25, 2016

daffl commented Mar 25, 2016

ekryski commented Mar 25, 2016

[security] Generated tokens are broadcast to all socket clients (by default) #126

[security] Generated tokens are broadcast to all socket clients (by default) #126

Comments

t2t2 commented Mar 25, 2016

daffl commented Mar 25, 2016

ekryski commented Mar 25, 2016