Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API Token not guaranteed to be unique. #39

Open
bummzack opened this issue May 28, 2015 · 0 comments
Open

API Token not guaranteed to be unique. #39

bummzack opened this issue May 28, 2015 · 0 comments

Comments

@bummzack
Copy link
Contributor

I admit that it's an edge case, but with the current implementation, the uniqueness of an API token can't be guaranteed.

There are two scenarios where this could be a potential problem:

  • The portion of the hash that's being used as the API token gets generated twice (very unlikely, but still possible)
  • A user modifies his user-object to have a different API-Token. In theory this is possible, if the user has some way to update user-data (since the user has a login, he has permission to change his "Member" entry).

I'll send a pull request that will fix the issue.

bummzack added a commit to bummzack/silverstripe-restfulapi that referenced this issue Jun 19, 2015
ADD colymba#44: Implement API method to refresh token.

- Reverted to non-unique indexes on `RESTfulAPI_TokenAuthExtension` since there's an issue with MsSQL DBs.
- Implemented token refresh methods.
- Updated documentation.
- Added test for "refreshToken".
- Updated token uniqueness test.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant