- État Fermée
- Pourcentage achevé
- Type Anomalie
- Catégorie Freebox OS → API
-
Assignée à
rfliedel - Système d'exploitation Freebox Server V6 (Révolution)
- Sévérité Haute
- Priorité Très Basse
- Basée sur la version 2.0.2
- Due pour la version Non décidée
-
Échéance
Non décidée
- Votes
- Privée
Concerne le projet: Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)
Ouverte par zakhar - 16/07/2013
Dernière modification par rfliedel - 14/08/2013
Ouverte par zakhar - 16/07/2013
Dernière modification par rfliedel - 14/08/2013
FS#12891 - No logout API
There is a Login API to get a session_token
There is NO Logout API to disable a session_token when done with it.
On any “O.S.” (and although Freebox O.S. doesn’t really qualify as an O.S.!) this would be considered a SECURITY issue.
Indeed, although an attacker observing data cannot guess the password, he can see the session_tokens clearly and use then for his own benefit as long as they don’t time-out.
So, for security sake, there SHOULD be a way to logout from a session.
(As it is related to security, that is why I classified it as Anomaly/High, instead of Evolution/Low)
Fermée par rfliedel
10.09.2013 12:30
Raison de la fermeture : Evolution intégrée
Commentaires de fermeture :
10.09.2013 12:30
Raison de la fermeture : Evolution intégrée
Commentaires de fermeture :
En 2.0.3
Chargement...
Activer les raccourcis clavier
- Alt + ⇧ Shift + l Se connecter/Se déconnecter
- Alt + ⇧ Shift + a Ouvrir une tâche
- Alt + ⇧ Shift + m Mes recherches
- Alt + ⇧ Shift + t Rechercher par ID de tâche
Liste des tâches
- o Ouvrir la tâche sélectionnée
- j Déplacer le curseur vers le bas
- k Déplacer le curseur vers le haut
Détails de la tâche
- n Tâche suivante
- p Tâche précédente
- Alt + ⇧ Shift + e ↵ Enter Modifier cette tâche
- Alt + ⇧ Shift + w Surveiller
- Alt + ⇧ Shift + y Fermer cette tâche
Édition de la tâche
- Alt + ⇧ Shift + s Enregistrer la tâche
In fact, Free must be aware that leaving open sessions is a Security issue, because there is a GUI to kill sessions (accessible through “Paramétrages de la Freebox” tab “Sessions”).
This tab uses 2 undocumented (because internal, see below) APIs:
1) The first one allows to read sessions and looks like
GET /api/v1/sessions/?_dc=1374219877482
The number after _dc= appears to be a timestamp WITH milliseconds (unlike start_time field on the JSON sessions structure which do not have milliseconds)
2) The second one, is what we would need (at least to close our own session) looks like
DELETE /api/v1/sessions/3?_dc=1374219902288
The first number after sessions/ is the ID of the session we want to kill, the _dc parameter is the same as above.
The session structure is:
{
}
Both these interfaces are INTERNAL
To work, they need 2 headers:
X-Fbx-App-Id: fr.freebox.mafreebox
X-FBX-FREEBOX0S: 1
And you also need to provide the cookie obtained from the login to the Freebox OS application.
This defeats the use of the internal APIs inside an app, because then the app would have to know the password to your Freebox OS in order to mimic it’s login and get a valid cookie.
That is why we need a logout (like the DELETE used by Freebox OS) to be able to remove our own sesssion.
It could operate like the DELETE described above, although I don’t really see the use of the timestamp, and of course, you would need your session token to ensure that you are not trying to kill the session of someone else!
there is an undocumented api you can use :
POST /api/login/logout/
this will close your current session
Thanks, although the documentation says we SHOULD NOT use any undocumented APIs, which I totally understand.
Do you feel this is simply an omission in the documentation, and thus is only a “documentation bug”?
you can safely use this api, it will be documented in the next release
Thank you!
I believe once it is fully published with parameters and return codes, this would close/fix the issue.