Hello Thomas, I think all your proposition make a lot of sense (of course since we discussed them first :)). I vote that we first implement a token system and that we can always improve this further. Ideally we should have one token per accepted server, not a single one for all external services.
I see you have already created the ticket, I’ll add your proposition down here to the ticket for more details. cheers, Serge… > On 1 févr. 2016, at 13:26, Thomas Draier <[email protected]> wrote: > > Hi there, > > I have some security concerns with the merge actions. Currently, anybody > can manually send a login event with some properties, and merge his data > with existing profiles. He can easily corrupt existing profile or get > private data of this user, as the 2 users will be "merged". > > First thing is that, in my opinion, login event should only be accepted by > trusted tiers - we need to be able to authenticate the event sender in some > way - simple solution would be to use a secret token, but we could > implement more secure things with a certificate. In all cases, we should > not let the client send a login event and trigger as user merge on > untrusted information. > > Some properties should not be directly writeable by a user, even on its own > profile. Changing the j:nodename property, which is used by the default > login rule (could be any other property), could be a security issue. > Actually, the "merge" action should only be done on trusted properties that > would be read only, even for their owner. The "systemproperties" map could > be a good candidate. Currently the profile end point allows to completely > save a profile, this should be a little bit restricted. > > I also have another concern about profile merging - if a users logs in with > 2 different profiles (send 2 login events, with different usernames) , both > profiles are merged. This can give some very unexpected results if you > share your computer with somebody ... Merging one anonymous profile with an > identified user make sense, but merging 2 identified profiles look rather > strange. I would rather switch profile in that case. > > What do you think ? > > Regard > > thomas
