-
Notifications
You must be signed in to change notification settings - Fork 43
Security
This page contains security caveats, in no particular order.
Use HTTPS throughout, especially when sending sensitive information (sign in credentials, credit card numbers, etc).
ember-auth is no replacement for secure server-side API code.
You should treat your ember app as a fancy UI for your server's API service, and implement validations and security checks server-side, much like you should never rely on client-side data validation.
Think of it this way: some of your API endpoints is protected, and needs an
authentication token to consume. ember-auth does nothing more than providing
a convenience method for users to obtain this token, in order to consume your
protected API endpoints.
The bottom line: Anybody can consume your API service, not only your ember app.
ember-auth can auto-load the current user based on the current user ID, but
do not rely on the ID as the sole identifier of current user access rights.
Any user can manipulate the client-side ember app, or send a direct request
to your server API end point, with a different user ID pretending to be the
"current user".
Implement a server-side check on your user model, such that access control is based on the authentication token, not the current user ID. (Unless you are having admin users, of course.)
The remember token is stored in plain text in a cookie. Do not use the login credentials directly as the remember token. Hash them, generate a new random token, or use similar ideas.
If one gets hold of your remember me cookie, anybody can issue a sign in request by consuming your API end point directly. You should implement guards on your API end points; some ideas:
- a same-origin-only policy?
- keeping a log of remember token sign-ins to identify suspicious behavior?
Do not rely on the cookie expiry time. The remember me valid period should be implemented on your server, e.g. by a field storing the remember me token generation time.
Also consider:
- should the remember me option be on, or off, by default?
- should the remember period be auto-extended on subsequent sign-ins?
Ember-data currently does not offer any way of clearing the data store.
This is very unexpected, and has already been reported.
(Issue #235)
For now, do not rely on any model data being unavailable, even after
a user has signed out. If your site is a high-security one, then force the
browser to refresh after sign out (cf. this comment). For a leisure site, you can wrap sections
with the if auth.authToken conditional to hide them from the casual user.
Note, however, that due to this bug, if your models use any sort of scoping based on the current signed in user, then the user will see residues models left behind from the previous sign in (of another user). In this case, and if you don't want ugly hacks checking the scope client-side, then you'll have to go for the browser-refresh method.