⚓ T106762 Security review for firebase/php-jwt

Status	Assigned	Task
Open	None	T111534 Allow external users access to cxserver
Open	None	T101398 cxserver: rate limiting
Resolved	Nikerabbit	T108692 Error: mw.Api error: token-impossible
Resolved	Nikerabbit	T97113 MT Api - provide an identification mechanism to allow requests only from a valid MW context
Resolved	Nikerabbit	T106762 Security review for firebase/php-jwt

Event Timeline

Nikerabbit created this task.Jul 23 2015, 11:12 PM

Nikerabbit updated the task description. (Show Details)

Nikerabbit raised the priority of this task from to High.

Nikerabbit claimed this task.

Nikerabbit added projects: MediaWiki-Vendor, LE-CX6-Sprint 1, ContentTranslation-Release6, Patch-For-Review, ContentTranslation.

Nikerabbit added subscribers: gerritbot, csteipp, Arrbee and 4 others.

Amire80 set Security to None.Jul 27 2015, 4:21 PM

Amire80 edited a custom field.

csteipp added projects: Security-Team-Reviews, Security-Team.Jul 28 2015, 12:25 AM

csteipp moved this task from Backlog to Ready on the Security-Team board.

Amire80 moved this task from Needs Triage to CX6 on the ContentTranslation board.Jul 28 2015, 6:19 PM

We're already using an earlier version of php-jwt in Ex:OAuth. I just reviewed the latest version (fa8a06e96526eb7c0eeaa47e4f39be59d21f16e1 on github), and it looks fine as well, although disappointing it still doesn't support EC signatures.

In production, you shouldn't set JWT::$leeway to more than a few seconds, if at all.

Arrbee moved this task from Backlog to Done on the LE-CX6-Sprint 1 board.Jul 29 2015, 7:03 AM

Amire80 moved this task from Backlog to Tech Debt on the ContentTranslation-Release6 board.Aug 2 2015, 6:37 AM

Change 226616 had a related patch set uploaded (by Nikerabbit):
Add firebase/php-jwt for ContentTranslation

https://gerrit.wikimedia.org/r/226616

Change 226616 merged by jenkins-bot:
Add firebase/php-jwt for ContentTranslation

https://gerrit.wikimedia.org/r/226616

Nikerabbit mentioned this in rMWVDad1427661afb: Add firebase/php-jwt for ContentTranslation.Aug 17 2015, 7:08 PM

Arrbee added a project: WorkType-Maintenance.Sep 7 2015, 11:40 AM

• GWicke mentioned this in T111264: Decouple chronology protector from authentication .Sep 29 2015, 12:17 AM

csteipp moved this task from Ready to Done on the Security-Team board.Oct 13 2015, 11:56 PM

sbassett moved this task from Backlog to Archive on the Security-Team-Reviews board.Wed, Apr 24, 6:36 PM

Security review for firebase/php-jwt
Closed, ResolvedPublic1 Story Points
Actions

Description

Related Objects
Search...

Event Timeline

Security review for firebase/php-jwtClosed, ResolvedPublic1 Story PointsActions

Description

Related ObjectsSearch...

Event Timeline

Security review for firebase/php-jwt
Closed, ResolvedPublic1 Story Points
Actions

Related Objects
Search...