Page MenuHomePhabricator

Warn when using local consumers
Open, Needs TriagePublic

Description

We have many test consumers which redirect to 127.0.0.1; for some of them the consumer secret is public (part of some tutorial, or the OAuth vagrant role, etc). Conceivably someone could use that secret and some kind of tunnel they managed to establish on the target user's machine to impersonate and obtain a grant. This is not a big deal because such consumers are clearly marked as test and have very limited permissions (no page editing, just identification) but it would still be nice to show a different dialog with a warning on top in such cases to make sure the user understands what they are doing.

(We should probably also monitor that no local consumers have write rights.)

Event Timeline

Tgr created this task.Aug 3 2018, 11:45 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptAug 3 2018, 11:45 AM