Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)

  • État Fermée
  • Pourcentage achevé
    100%
  • Type Anomalie
  • Catégorie Freebox OS → API
  • Assignée à
    rfliedel
  • Système d'exploitation Freebox Server V6 (Révolution)
  • Sévérité Haute
  • Priorité Très Basse
  • Basée sur la version 2.0.2
  • Due pour la version Non décidée
  • Échéance Non décidée
  • Votes
  • Privée
Concerne le projet: Freebox Server (Ultra V9/ Pop V8/ Delta V7 / Revolution V6 / Mini 4K)
Ouverte par zakhar - 16/07/2013
Dernière modification par rfliedel - 14/08/2013

FS#12891 - No logout API

There is a Login API to get a session_token

There is NO Logout API to disable a session_token when done with it.

On any “O.S.” (and although Freebox O.S. doesn’t really qualify as an O.S.!) this would be considered a SECURITY issue.
Indeed, although an attacker observing data cannot guess the password, he can see the session_tokens clearly and use then for his own benefit as long as they don’t time-out.
So, for security sake, there SHOULD be a way to logout from a session.

(As it is related to security, that is why I classified it as Anomaly/High, instead of Evolution/Low)

Fermée par  rfliedel
10.09.2013 12:30
Raison de la fermeture :  Evolution intégrée
Commentaires de fermeture :  

En 2.0.3

zakhar a commenté le 19.07.2013 08:33

In fact, Free must be aware that leaving open sessions is a Security issue, because there is a GUI to kill sessions (accessible through “Paramétrages de la Freebox” tab “Sessions”).

This tab uses 2 undocumented (because internal, see below) APIs:
1) The first one allows to read sessions and looks like
GET /api/v1/sessions/?_dc=1374219877482

The number after _dc= appears to be a timestamp WITH milliseconds (unlike start_time field on the JSON sessions structure which do not have milliseconds)

2) The second one, is what we would need (at least to close our own session) looks like
DELETE /api/v1/sessions/3?_dc=1374219902288

The first number after sessions/ is the ID of the session we want to kill, the _dc parameter is the same as above.
The session structure is:
{

is_web_app:false,
device_name:"zakhar-Notebook-PC",
app_name:"My App Name",
id:6,
start_time:1374221346,
client_ip:"192.168.1.30"

}

Both these interfaces are INTERNAL
To work, they need 2 headers:
X-Fbx-App-Id: fr.freebox.mafreebox
X-FBX-FREEBOX0S: 1

And you also need to provide the cookie obtained from the login to the Freebox OS application.
This defeats the use of the internal APIs inside an app, because then the app would have to know the password to your Freebox OS in order to mimic it’s login and get a valid cookie.

That is why we need a logout (like the DELETE used by Freebox OS) to be able to remove our own sesssion.
It could operate like the DELETE described above, although I don’t really see the use of the timestamp, and of course, you would need your session token to ensure that you are not trying to kill the session of someone else!

Admin
rfliedel a commenté le 31.07.2013 12:39

there is an undocumented api you can use :
POST /api/login/logout/

this will close your current session

zakhar a commenté le 31.07.2013 16:50

Thanks, although the documentation says we SHOULD NOT use any undocumented APIs, which I totally understand.

Do you feel this is simply an omission in the documentation, and thus is only a “documentation bug”?

Admin
rfliedel a commenté le 31.07.2013 17:36

you can safely use this api, it will be documented in the next release

zakhar a commenté le 15.08.2013 07:12

Thank you!
I believe once it is fully published with parameters and return codes, this would close/fix the issue.

Chargement...

Activer les raccourcis clavier

Liste des tâches

Détails de la tâche

Édition de la tâche