-
Notifications
You must be signed in to change notification settings - Fork 1
User token security #390
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
There are multiple layers of issues here... First, I think given the state of the budget and the work that still needs to be done to get templates/preferences working and Turbo360 up and running, a full user authentication system is not likely to happen with this round of funding. There is significant design work still needed not only from a system architecture perspective, but also simply working out the use models. Second, the current DO approach uses So there are two key problems:
How does this work currently?User tokens by default are generated via
Shareable user tokens simplifies this, removing the
How should it be implemented?
This is a little complicated, especially when bringing Turbo360 into the mix. I think at this point it's probably more useful to think through how you would like to use the system and then we'll rework it. Given that the token system was primarily intended to support a way to identify authors rather than providing any true security, we had assumed given your request for shareable tokens that you weren't terribly concerned about student-to-student access. Digital OceanAssuming Digital Ocean is using
With the current implementation, any teacher can get into the admin interface using As long as each graph uses a unique name, non-shareable tokens should work after #389 is merged. (The shareable tokens hack had actually made ALL tokens shareable, so we had to add non-shared restrictions back in). Turbo360Things are a little different with Turbo360.
But here's where things do not quite work:
The problem here is that token security is minimal. Since there's no unique dataset salt on Turbo360, all tokens using the same parameters are the same...e.g. if a bad actor research group spun up their own instances, they could easily recreate your user tokens by simply using matching class and project ids. Ideally we would at least introduce a new dataset value or some other unique value that cannot be guessed via the admin UI. It's not strictly necessary, but it would add a layer of security. Locking AdminThe second big issue is what kind of security to provide for access to the admin features. If the use of Since Turbo360 does not use
One possible approach:
I don't think we want to "burn" in a password because that would be difficult to change, and becomes a security issue for any other groups using the system. But if we need to have a changeable password, we would need to put it somewhere where one can change it. We could potentially define the password in the project template. So then depending on your security needs, you could define a password that is shared across all teachers in the study, or each graph can have its own password. We probably want some kind of override to reset the project template password in case the project template gets screwed up...the equivalent of the "danishpowers" password to provide some kind of fallback? @jdanish Lots to think through...any thoughts? |
Thanks @benloh. Some important clarifications:
Does that help limit / narrow the scope temporarily? |
Thanks for the clarification.
To avoid the
Do you mean supporting something like having a name in the token like Right now I'm thinking that salt is defined in the template file. e.g. there would be two new values in templates:
The The We can also introduce a superuser password like "danishsuperpowersactivate" or something to allow you to edit the Advanced Panel in case for some reason you can't access the template. This is primarily for use with Turbo360 where you won't have direct access to template file but need to change it through importing the template. But this would have to burned into the code (not ideal), or we would have to ask Vertex to allow injecting something like a If the salt is defined in the template, you can then use the same salt to emulate shareable tokens. e.g. if you used Similarly you can set the adminPassword for each teacher separately if you're worried about cross-teacher contamination.
I think we always want to make sure that DO or some other non-Turbo solution works. Other Misc Comments
|
Thanks!
Did I miss anything? |
So if we repurposed the So teachers would never really ever see |
Oh, actually on revisiting this, Turbo360's portal allows you to download the template file directly via the Site > Storage > So theoretically once we define the And then on the DO side, you could use SSH to grab the template file if you don't know the password. |
Re: the admin=true as a variation of danishpowers is fine. The part that made me nervous was that that means anyone who looks at the git repo will know how to get in. That's where the sesame file in nc-multiplex is nice because in theory we can change it on each server even if we mostly don't bother. Re: checking the template via storage or ssh great. |
Cool. Let's give this a try and see if it works. Thanks for all the feedback. |
Awesome, thanks!
…On Wed, Apr 16, 2025 at 2:40 PM benloh ***@***.***> wrote:
Cool. Let's give this a try and see if it works. Thanks for all the
feedback.
—
Reply to this email directly, view it on GitHub
<#390 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKGCKTHGLNA7GPJUVSTV3L2Z2P2RAVCNFSM6AAAAAB3DURU6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMJQGQYTGOJWGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
*benloh* left a comment (netcreateorg/netcreate-itest#390)
<#390 (comment)>
Cool. Let's give this a try and see if it works. Thanks for all the
feedback.
—
Reply to this email directly, view it on GitHub
<#390 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKGCKTHGLNA7GPJUVSTV3L2Z2P2RAVCNFSM6AAAAAB3DURU6WVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDQMJQGQYTGOJWGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
To Do
|
Joshua writes:
The text was updated successfully, but these errors were encountered: