Skip to content

Commit

Permalink
Remove the undocumented login-with-token page
Browse files Browse the repository at this point in the history
There are several problems with this feature:

1. To use it, you have to put the user's token in the URL. This token lasts
   forever (unless the user explicitly logs out), so it is nearly as
   sensitive as the user's password. Embedding such sensitive information in
   the URL is problematic, because URLs are saved in the browser history,
   dumped to server logs and displayed on the screen, none of which are
   secure locations. A user could also accidentally share a URL with an
   embedded token.

2. If an attacker can get a user to follow a malicious link, they could
   forcibly log that user into the attacker's account (AKA "login CSRF").
   This by itself is just a nuisance, but the attacker could potentially use
   this to trick the victim into, for example, uploading confidential data
   to the attacker's account.

3. By design, it requires the use of token authentication, whose drawbacks I
   have explained in #8289.

   In fairness, when originally implemented, this feature set the session
   cookie rather than the token, but this cannot work if the user is already
   logged in, as the `sessionid` cookie is marked `HTTPOnly` and cannot be
   overridden by JavaScript. So the only way for this feature to work in all
   circumstances is to set the token.

Generally, the use cases of this feature are better served by single sign-on
protocols, which don't suffer from these drawbacks.
  • Loading branch information
SpecLad committed Aug 22, 2024
1 parent 3fdb032 commit f3ebea1
Show file tree
Hide file tree
Showing 5 changed files with 5 additions and 55 deletions.
4 changes: 4 additions & 0 deletions changelog.d/20240822_134319_roman_rm_login_with_token.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
### Removed

- Removed the `/auth/login-with-token` page
(<https://github.com/cvat-ai/cvat/pull/8336>)
2 changes: 1 addition & 1 deletion cvat-ui/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "cvat-ui",
"version": "1.64.6",
"version": "1.65.0",
"description": "CVAT single-page application",
"main": "src/index.tsx",
"scripts": {
Expand Down
11 changes: 0 additions & 11 deletions cvat-ui/src/components/cvat-app.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ import Text from 'antd/lib/typography/Text';

import LogoutComponent from 'components/logout-component';
import LoginPageContainer from 'containers/login-page/login-page';
import LoginWithTokenComponent from 'components/login-with-token/login-with-token';
import RegisterPageContainer from 'containers/register-page/register-page';
import ResetPasswordPageConfirmComponent from 'components/reset-password-confirm-page/reset-password-confirm-page';
import ResetPasswordPageComponent from 'components/reset-password-page/reset-password-page';
Expand Down Expand Up @@ -501,11 +500,6 @@ class CVATApplication extends React.PureComponent<CVATAppProps & RouteComponentP
<Layout.Content style={{ height: '100%' }}>
<ShortcutsDialog />
<Switch>
<Route
exact
path='/auth/login-with-token/:token'
component={LoginWithTokenComponent}
/>
<Route exact path='/auth/logout' component={LogoutComponent} />
<Route exact path='/projects' component={ProjectsPageComponent} />
<Route exact path='/projects/create' component={CreateProjectPageComponent} />
Expand Down Expand Up @@ -590,11 +584,6 @@ class CVATApplication extends React.PureComponent<CVATAppProps & RouteComponentP
<Route exact path='/auth/email-verification-sent' component={EmailVerificationSentPage} />
<Route exact path='/auth/incorrect-email-confirmation' component={IncorrectEmailConfirmationPage} />
<Route exact path='/auth/login' component={LoginPageContainer} />
<Route
exact
path='/auth/login-with-token/:token'
component={LoginWithTokenComponent}
/>
{isPasswordResetEnabled && (
<Route exact path='/auth/password/reset' component={ResetPasswordPageComponent} />
)}
Expand Down
25 changes: 0 additions & 25 deletions cvat-ui/src/components/login-with-token/login-with-token.tsx

This file was deleted.

18 changes: 0 additions & 18 deletions tests/cypress/e2e/actions_users/issue_1810_login_logout.js
Original file line number Diff line number Diff line change
Expand Up @@ -58,24 +58,6 @@ context('When clicking on the Logout button, get the user session closed.', () =
cy.contains('.cvat-task-details-task-name', `${taskName}`).should('be.visible');
});

it('Logout and login to task via token', () => {
cy.logout();
// get token and login to task
cy.request({
method: 'POST',
url: '/api/auth/login',
body: {
username: Cypress.env('user'),
email: Cypress.env('email'),
password: Cypress.env('password'),
},
}).then(async (response) => {
const token = response.body.key;
cy.visit(`/auth/login-with-token/${token}?next=/tasks/${taskId}`);
cy.contains('.cvat-task-details-task-name', `${taskName}`).should('be.visible');
});
});

it('Login via email', () => {
cy.logout();
login(Cypress.env('email'), Cypress.env('password'));
Expand Down

0 comments on commit f3ebea1

Please sign in to comment.