XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Fix Version/s: translate5 - 6.8.1
Affects Version/s: None
Component/s: Main back-end mechanisms (Worker, Logging, etc.), User Management

Urgency:
Critical
ChangeLog Description:
FIX authentication via POST on the session-controller, where elevated credentials were delivered when called with an App-Token
Checklist:

Empty

show more show less

Description

problem

Using the session api endpoint to authenticate a user when the request already has a appToken leads since translate5-6.8.0 to the severe problem that the user is authenticated as the API user instead the desired one.

urgent solution

revoke the change introducing the problem
fix the problem with the internal session unique id causing the above fix
reset the session when using the API endpoint auth

other todos

ensure that all auth mechanisms can not be used anymore when an app token is delivered → breaking change
ensure that all auth mechanisms have for sure a fresh session
clean up and finalize the hotfixes: what is with the update session feature now just commented out in postAction
revoke the return value of handleAuthToken and clean up hotfix in Resource/Session.php::init
ensure an error is thrown when two authentications are passed to the app at the same time (sso, app-token, user/password) -> breaking change

Attachments

Activity

People

Assignee:: Thomas Lauria

Reporter:: Thomas Lauria

Peer developer:: Aleksandar Mitrev, Axel Becher

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 06/Dec/2023 05:03

Updated:: 23/Apr/2024 05:09

Resolved:: 06/Dec/2023 05:44