Hi there, I have some security concerns with the merge actions. Currently, anybody can manually send a login event with some properties, and merge his data with existing profiles. He can easily corrupt existing profile or get private data of this user, as the 2 users will be "merged".
First thing is that, in my opinion, login event should only be accepted by trusted tiers - we need to be able to authenticate the event sender in some way - simple solution would be to use a secret token, but we could implement more secure things with a certificate. In all cases, we should not let the client send a login event and trigger as user merge on untrusted information. Some properties should not be directly writeable by a user, even on its own profile. Changing the j:nodename property, which is used by the default login rule (could be any other property), could be a security issue. Actually, the "merge" action should only be done on trusted properties that would be read only, even for their owner. The "systemproperties" map could be a good candidate. Currently the profile end point allows to completely save a profile, this should be a little bit restricted. I also have another concern about profile merging - if a users logs in with 2 different profiles (send 2 login events, with different usernames) , both profiles are merged. This can give some very unexpected results if you share your computer with somebody ... Merging one anonymous profile with an identified user make sense, but merging 2 identified profiles look rather strange. I would rather switch profile in that case. What do you think ? Regard thomas
