Page MenuHomePhabricator
Create Task
Maniphest T6949

Hide OAuth server secrets behind "Show Secret" to defuse screenshot/over-the-shoulder leaks
Closed, ResolvedPublic
Actions

Description

Currently, we show OAuth server secrets in cleartext. It would be nice to put these behind a "Show Secret" link or action, maybe similar to how Passphrase works, to make it harder to accidentally disclose the secret in a screenshot or by having someone read it or / take a photo over your shoulder.

This is a very minor risk, but is consistent with how other OAuth servers I've seen work.

Revisions and Commits

rP Phabricator
D11401rP1cc81b1d0ae4 OAuthServer - hide client secret behind a "View Secret" action

Event Timeline

epriestley created this task.Jan 12 2015, 9:33 PM
epriestley raised the priority of this task from to Low.
epriestley updated the task description. (Show Details)
epriestley added projects: OAuthServer, Security.
epriestley added subscribers: epriestley, btrahan.
epriestley added a project: Phacility.Jan 12 2015, 9:39 PM

This is actually a blocker (for launch, not blocking anything in the short term) because the view policy is always "All Users", and you only need View to see the secret. We should modernize the application:

  • Add a proper CAN_VIEW policy, and require users to be able to view the application to log in with it.
  • Put the secret behind a link/action (original task).
  • Add a proper CAN_EDIT policy, and require it to see the secret.

Then I can set CAN_VIEW to "Members of instance X" and CAN_EDIT to the instance-client bot and we're in good shape.

epriestley moved this task from Backlog to v0 Closed Beta on the Phacility board.Jan 12 2015, 9:39 PM
btrahan claimed this task.Jan 12 2015, 10:45 PM

I figure I'll toss this on my queue, though I want to do other things first.

Krenair added a subscriber: Krenair.Jan 14 2015, 3:47 AM
btrahan added a revision: D11401: OAuthServer - hide client secret behind a "View Secret" action.Jan 14 2015, 10:51 PM
btrahan closed this task as Resolved by committing rP1cc81b1d0ae4: OAuthServer - hide client secret behind a "View Secret" action.Jan 15 2015, 1:27 AM
btrahan added a commit: rP1cc81b1d0ae4: OAuthServer - hide client secret behind a "View Secret" action.
Phabricator · Built by Phacility