- AUTHENTICATING USERS WITH FIREBASE FOR ROCKETCHAT HOW TO
- AUTHENTICATING USERS WITH FIREBASE FOR ROCKETCHAT PC
The reason this is a security hole is that on a new log in to the main-site as a different user, Rocket Chat remains logged in to the old Rocket Chat session and the newly logged in main-site user can now interact with the old user's chats instead of his own. This leaves a security hole where even if the client's main-site session it used to retrieve a Rocket Chat token expires or is otherwise destroyed the Rocket Chat token persists in local storage. There is no mechanism to invalidate a Rocket Chat user who is logged in via the use of the iframe auth API. Just let us know how you'd like us to continue here and we'll help out as best as we can. If necessary I could create a contained demo that demonstrates the issue as well. I'd be happy to file a new bug with excruciating detail and proper version numbers if that makes this process easier. This seems like a fairly serious issue that I believe affects every user of iframe auth API (unless we've somehow implemented it incorrectly?) and presents a security risk. Meaning that when a user logs out/expires of the main website session, the Rocket Chat token still persists and when they log in to the main site again (as a different user) Rocket Chat doesn't even attempt to get a new token, it simply uses the one it already has which belongs to the old user. The main problem of course is that there's no way for us to clear this login token that Rocket Chat has put into local storage. We already found and were experimenting with the feature you pointed us at (Forget User Session on Window Close) unfortunately this doesn't solve the issue as users will not always close their window (many times they'd just close the tab) and therefore it's not sufficient to be able to reliably log them out. This particular issue is not exactly a bug, but more of a gap in functionality in one of the features.
AUTHENTICATING USERS WITH FIREBASE FOR ROCKETCHAT HOW TO
We also tried to embed a "src=/logout" iframe on website login, to kick the old user off so that rocketChat would request a new token, but apparently this also does not clear the sessionStorage, so it did not work because it would continue to use the old loginToken and not attempt to get a new one.ĭoes anyone know of a solution to this Could you possibly tell us how to proceed here? Sorry we didn't follow your issue template. Embedding an iframe just so we could clear it seemed to have issues too, as that iframe would then try and log in itself, and it would seem to cause multiple login attempts and "invalid user" errors inside the iframe. We tried to use document.domain to work around this problem, but then we found the problem that we can't clear the loginToken from the sessionStorage unless an active iframe is present from the rocketChat domain, otherwise the browser can't find loginToken in the sessionStorage. One of the big issues we're finding is the fact that our rocketChat is hosted on a different port, so we can't easily clear the sessionStorage from the parent domain due to cross-site restrictions such as CORS. We were trying to think of ways to clear the loginToken from the sessionStorage when a person logs in to the website, so that it would force rocketChat to create a new one, and therefore log in the correct user if need-be.
AUTHENTICATING USERS WITH FIREBASE FOR ROCKETCHAT PC
This is an issue for people who share a PC or have multiple accounts of our website, for example. The problem is that a users website session can expire automatically if they haven't visited the website in a little while, and then when they log in again, if they log in as another user, since the sessionStorage still has the old users loginToken then it logs the old user into the chat, instead of the new user.
When using the rocketchat iframe and the API URL and API Method as documented here: - we're able to log the website user into their rocketChat user, and allow them to communicate in chats, by passing along the loginToken from our backend server. Basically using it as a chat server so registered website users can talk to other users who they've been given access to communicate with. We're using the embedded form of RocketChat in our website.
0 kommentar(er)
