Skip to content

Security issues with custom authentication module (Question) #4661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
EricNetsch opened this issue Mar 19, 2018 · 2 comments
Closed

Security issues with custom authentication module (Question) #4661

EricNetsch opened this issue Mar 19, 2018 · 2 comments

Comments

@EricNetsch
Copy link

I built a custom auth module and hooked it up to parse-server. Everything is working great and as expected.

The one issue I am having is security. I am unable to pass more parameters (Hmac etc) to the logInWith call to verify the source of the login and ensure the user is valid. It seems like in most cases using the just the "public" token to auth a user is a large security risk.

Is there any way to pass additional verification details in the logInWith call? In my custom auth module it seems the only data I receive is the user authdata. Ideally, I could pass additional hmac verification data to ensure the matched user is coming from a verified source.

Any advice or solutions would be greatly appreciated.

We use GitHub Issues for bugs.

If you have a non-bug question, ask on Stack Overflow or Server Fault:

If you have a vulnerability disclosure, please follow our policy available here https://github.com/parse-community/parse-server/blob/master/SECURITY.md

You may also search through existing issues before opening a new one: https://github.com/parse-community/parse-server/issues?utf8=%E2%9C%93&q=is%3Aissue

--- Please use this template. If you don't use this template, your issue may be closed without comment. ---

Issue Description

Describe your issue in as much detail as possible.

Steps to reproduce

Please include a detailed list of steps that reproduce the issue. Include curl commands when applicable.

Expected Results

What you expected to happen.

Actual Outcome

What is happening instead.

Environment Setup

  • Server

    • parse-server version (Be specific! Don't say 'latest'.) : [FILL THIS OUT]
    • Operating System: [FILL THIS OUT]
    • Hardware: [FILL THIS OUT]
    • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): [FILL THIS OUT]

  • Database

    • MongoDB version: [FILL THIS OUT]
    • Storage engine: [FILL THIS OUT]
    • Hardware: [FILL THIS OUT]
    • Localhost or remote server? (AWS, mLab, ObjectRocket, Digital Ocean, etc): [FILL THIS OUT]

Logs/Trace

Include all relevant logs. You can turn on additional logging by configuring VERBOSE=1 in your environment.
@flovilmart
Copy link
Contributor

Do you validate the authData (access token + id) against your custom auth provider? This is what brings the security and if either the access token is invalid or mismatches the provided user id, the login/linking process is failed

@EricNetsch
Copy link
Author

Thanks!
I figured out a solution. First I had to update my parse-server version so it could support multiple parameters in my Authdata per this issue #3867 (This opened up a lot of options). Now the loginWith call also sends the hmac verification parameters from my auth provider. Also, included in the hmac parameters is a timestamp which is checked in my module to verify the call even further.
Much more secure now.

This was referenced Sep 27, 2022
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flovilmart @EricNetsch