https://bugs.documentfoundation.org/show_bug.cgi?id=103825
--- Comment #5 from Pranav Kant <[email protected]> ---
(In reply to Aleksander Machniak from comment #4)
> (In reply to Pranav Kant from comment #3)
> > On the server side, when access token is about to expire, sure I can request
> > CheckFileInfo from the WOPI service but what good that would do ? My plan
>
> The CheckFileInfo would be a ping to the service/session, so it knows it's
> still in use and should not expire the session token.
>
I am bit skeptical w.r.t security here. What if the access token is leaked
somehow. I am inclined towards not extending the existing token so that even if
token is compromised, the attacker is not able to abuse the WOPI service for
indefinite period.
> > was to intimate the user when we are near access_token_ttl who would then
> > provide loolwsd with a new access_token that loolwsd can reliably use for
> > WOPI operations (till ttl expires again). But how would I get this new
> > access token from WOPI service by making a CheckFileInfo request (loolwsd ->
> > WOPI service) ?
>
> I don't really see a need to make user aware of this internal process.
My guess is that this is also enforced by WOPI specs. due to the security
concern mentioned above.
> Also, I don't see a way to pass the new token from WOPI to loolwsd.
If we refresh the page, it would go through the same cycle again. That is one
solution.
Other might be that I create another post message API where WOPI host inserts
its new token and loleaflet then passes the access token to loolwsd internally
through websockets.
--
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
Libreoffice-bugs mailing list
[email protected]
https://lists.freedesktop.org/mailman/listinfo/libreoffice-bugs
