Freebox Server (Pop V8/ Delta V7 / Revolution V6 / Server Mini 4K)

  • État Close
  • Type de tâche Anomalie
  • Catégorie Freebox OS → API
  • Assignée à Romain FLIEDEL (rfliedel)
  • Système d'exploitation Freebox Server V6 (Révolution)
  • Sévérité Haute
  • Priorité Normale
  • Basée sur la version 2.0.2
  • Due pour la version Non décidé
  • Date d'échéance Non décidé
  • Votes 0
  • Privée Non
Concerne le projet: Freebox Server (Pop V8/ Delta V7 / Revolution V6 / Server Mini 4K)
Ouverte par zakhar (zakhar) - 16/07/2013
Dernière édition par Romain FLIEDEL (rfliedel) - 14/08/2013

FS#12891 - No logout API

There is a Login API to get a session_token

There is NO Logout API to disable a session_token when done with it.

On any “O.S.” (and although Freebox O.S. doesn’t really qualify as an O.S.!) this would be considered a SECURITY issue.
Indeed, although an attacker observing data cannot guess the password, he can see the session_tokens clearly and use then for his own benefit as long as they don’t time-out.
So, for security sake, there SHOULD be a way to logout from a session.

(As it is related to security, that is why I classified it as Anomaly/High, instead of Evolution/Low)

Close par  Romain FLIEDEL (rfliedel)
mardi 10 septembre, 2013 12:30:55
Raison de clôture :  Evolution intégrée
Commentaires supplémentaires de clôture :  En 2.0.3

Cette tache ne dépend pas d'autre tache

zakhar (zakhar)
vendredi 19 juillet, 2013 08:33:17

In fact, Free must be aware that leaving open sessions is a Security issue, because there is a GUI to kill sessions (accessible through “Paramétrages de la Freebox” tab “Sessions”).

This tab uses 2 undocumented (because internal, see below) APIs:
1) The first one allows to read sessions and looks like
GET /api/v1/sessions/?_dc=1374219877482

The number after _dc= appears to be a timestamp WITH milliseconds (unlike start_time field on the JSON sessions structure which do not have milliseconds)

2) The second one, is what we would need (at least to close our own session) looks like
DELETE /api/v1/sessions/3?_dc=1374219902288

The first number after sessions/ is the ID of the session we want to kill, the _dc parameter is the same as above.
The session structure is:
{

is_web_app:false,
device_name:"zakhar-Notebook-PC",
app_name:"My App Name",
id:6,
start_time:1374221346,
client_ip:"192.168.1.30"

}

Both these interfaces are INTERNAL
To work, they need 2 headers:
X-Fbx-App-Id: fr.freebox.mafreebox
X-FBX-FREEBOX0S: 1

And you also need to provide the cookie obtained from the login to the Freebox OS application.
This defeats the use of the internal APIs inside an app, because then the app would have to know the password to your Freebox OS in order to mimic it’s login and get a valid cookie.

That is why we need a logout (like the DELETE used by Freebox OS) to be able to remove our own sesssion.
It could operate like the DELETE described above, although I don’t really see the use of the timestamp, and of course, you would need your session token to ensure that you are not trying to kill the session of someone else!

Romain FLIEDEL (rfliedel)
mercredi 31 juillet, 2013 12:39:33

there is an undocumented api you can use :
POST /api/login/logout/

this will close your current session

zakhar (zakhar)
mercredi 31 juillet, 2013 16:50:17

Thanks, although the documentation says we SHOULD NOT use any undocumented APIs, which I totally understand.

Do you feel this is simply an omission in the documentation, and thus is only a “documentation bug”?

Romain FLIEDEL (rfliedel)
mercredi 31 juillet, 2013 17:36:05

you can safely use this api, it will be documented in the next release

zakhar (zakhar)
jeudi 15 août, 2013 07:12:30

Thank you!
I believe once it is fully published with parameters and return codes, this would close/fix the issue.

Chargement...