Skip to content

[Bugfix] Improve OPML route security #535

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kieraneglin merged 6 commits into from
Dec 31, 2024
Merged

[Bugfix] Improve OPML route security #535

kieraneglin merged 6 commits into from
Dec 31, 2024

Conversation

@kieraneglin
Copy link
Owner

@kieraneglin kieraneglin commented Dec 30, 2024

What's new?

N/A

What's changed?

  • Updates the RSS feed and OPML feed copy buttons to be links. This gives all the UX niceties that links provide while still keeping the same copy functionality as before

What's fixed?

  • Improves OPML route security by requiring a token to be passed
    • Before, someone could access your OPML file if they knew the public URL for your Pinchflat instance and you had expose_feed_endpoints enabled. Now, a installation-specific unique token is required to access the OPML file in all cases
    • This isn't a perfect solution since an attacker would only need to know your route token to access your OPML file, but I consider this a low-risk issue both in terms of likelihood and potential risk. If you disagree, please also disable expose_feed_endpoints
    • expose_feed_endpoints is still respected and takes precedence over the token - if you haven't exposed your feed endpoints, both the token and HTTP Basic Auth will be required (if present)
    • The token is auto-generated and automatically copied when you copy the OPML feed - no additional user input should be needed as compared to the old approach
    • Resolves [FR] "secure" the OPML Route #532

Any other comments?

N/A

@kieraneglin kieraneglin self-assigned this Dec 30, 2024
@kieraneglin
Copy link
Owner Author

kieraneglin commented Dec 30, 2024

@robertkleinschuster what do you think? There are still some TODOs and I need to refactor/add tests, but this is the rough idea

@kieraneglin kieraneglin mentioned this pull request Dec 31, 2024
Closed
1 task
@kieraneglin kieraneglin marked this pull request as ready for review December 31, 2024 01:06
@kieraneglin kieraneglin merged commit f51b219 into master Dec 31, 2024
1 check passed
@kieraneglin kieraneglin deleted the ke/secure-opml-endpoints branch December 31, 2024 01:40
kieraneglin
kieraneglin commented Dec 31, 2024
View reviewed changes
lib/pinchflat_web/router.ex

# has to match before /sources/:id
get "/sources/opml", Podcasts.PodcastController, :opml_feed
get "/sources/:foo/opml", Podcasts.PodcastController, :opml_feed
Copy link
Owner Author

@kieraneglin kieraneglin Dec 31, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oops

@robertkleinschuster
Copy link
Contributor

robertkleinschuster commented Dec 31, 2024

@robertkleinschuster what do you think? There are still some TODOs and I need to refactor/add tests, but this is the rough idea

Yes great, if I was more familiar with the language and framework I would have done it in a similar way. My PR was only meant as a concept prototype anyway.

Thanks for fixing this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@kieraneglin kieraneglin

Labels

bugfix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[FR] "secure" the OPML Route

3 participants

@kieraneglin @robertkleinschuster