This repository has been archived by the owner on Jul 5, 2023. It is now read-only.
[BUG] - Passport 0.4.1 Regenerates Session instead of closing it on logout leading to risk to discord / steam logins in shared environments. #88
Labels
bug
Something isn't working
Comments
DrKittens
changed the title
DrKittens
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
This project's package.json looks for passport compatible with 0.4.1
This is a hard dependancy as passport versions > 0.6.0 cause auth failure during discord oauth handover to steam oauth preventing login.
This is problematic because there is a session regeneration fault present in passport 0.4.1, meaning that if a user were to use a shared computer, such as an internet cafe pc, to authenticate with the website, logout of the site AND close the tab, as long as the browser in its entirety was not closed (cookies / session tokens cleared) an attacker would still be able to visit the hosted dashboard, click login and connect as their discord account && steam account without providing credentials or going through 2FA even though the previous user "logged out".
ref: https://www.npmjs.com/advisories/1081673
ref: GHSA-v923-w3x8-wh69
This fault is fixed in passport 0.6.0+ which does not function with the current dashboard implementation.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Logging out to actually logout the session and not allow for it be regenerated.
Screenshots
If applicable, add screenshots to help explain your problem.
Server(please complete the following information):
Additional context
Logging for posterity as more of a "wishlist" to fix so npm/yarn audit stops nagging about it.
Not the most critical problem as complex remote attacks require MiTM / malice from the hosting provider or the user to share a computer user profile and not logout when finished with their session.
The text was updated successfully, but these errors were encountered: