Comments (4)
Wait, so essentially we're logging a user into an account, that they did not provide credentials for. I understand, that the user actually intends to log into A2 in this case. But if they provide credentials for A1 and get into A2, doesn't that open up some avenues of attack? It seems a bit fishy, but maybe it's not. I can't come up with an immediate attack vector. @tiblu, can you?
from citizenos-api.
@loorm nope, this is not the case. Both accounts are linked with users personal ID, And this login method is also listed under users available login methods when they click on invite link and are prompted to login. This will not be implemented for any e-mail based authentication methods.
from citizenos-api.
Wait, so essentially we're logging a user into an account, that they did not provide credentials for. I understand, that the user actually intends to log into A2 in this case. But if they provide credentials for A1 and get into A2, doesn't that open up some avenues of attack? It seems a bit fishy, but maybe it's not. I can't come up with an immediate attack vector. @tiblu, can you?
IF A1 is created using e-ID login,
IF A2 has UserConnection because they used e-ID signing while being logged into account A2,
THEN I see no problem in the described implementation as the User has basically used their e-ID to claim the account or show access to that account.
Also is it true that you CANNOT have n+1 EID UserConnections per account (user ID)? @ilmartyrk
from citizenos-api.
@loorm @tiblu your description is correct. User has multiple accounts connected with e-ID. One account can only have ONE EID UserConnection.
from citizenos-api.
Related Issues (20)
- PRIVACY: Do not store IP address more than 4 years HOT 2
- Update E-mail tests to validate HTML HOT 1
- Topic invite flow error for existing User - POST /api/users/self/topics/:topicId/invites/users/:inviteId/accept
- Topic list loading is getting slow. HOT 1
- TECH DEPT: Remove send to parliament related parts from API code HOT 3
- INVITE API creates case sensitive e-mail accounts HOT 4
- Choose between accounts on login HOT 2
- Allow users to merge accounts HOT 2
- Separate contact e-mail and login e-mail HOT 2
- BUG: Topic invite email: wonky footer layout + translation HOT 3
- Public groups HOT 22
- Machine Learning and AI integrations HOT 2
- Adding topic to group sends confusing invite e-mail
- Only allow public topics inside public groups HOT 2
- Update /api/stats endpoint HOT 5
- Max characters for invite email - UX issue HOT 4
- Odd black bar showing on homepage on mobile HOT 1
- Error message is hard to understand HOT 3
- ID test cert is outdated, probably need to order a new test ID-card HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from citizenos-api.