Fix Electron SSO handling to support multiple profiles#13028
Fix Electron SSO handling to support multiple profiles#13028
Conversation
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
dbkr
left a comment
There was a problem hiding this comment.
Hmm - so does this send the full path to the user data directory to the HS and back? This seems bad in terms of security although I can't think specifically how it would be exploitable, other than being a bit of a privacy leak, or maybe your HS making your Riot write files into weird places.
I guess the problem is that this can be any directory? If we could limit it to only being subdirectories of appData that would make it a bit simpler.
indeed
we can't though because someone might use we could encrypt it and urlencode to prevent it being abused |
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
|
I still have bit of a bad but nonspecific feeling: the key used isn't particularly secure given the HS knows what platform the user is on, and if it's Linux, "/opt/riot-desktop/Riot" is a pretty good guess. I also have a general feeling of nervousness around having bits of crypto code, using different crypto primitives, hanging around for less-oft-used features. Thinking more about this, one option could be to store currently active SSO sessions with their profile directories in the main profile and then send an sso session ID as a param, looking it up in the map when it comes back? |
|
I like that idea |
…esolve in a map to our profile data Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
…poc_riot_desktop_sso_multi_profile
fwiw, its not, the config is in |
|
Will create a matching PR for riot-desktop before landing as to not break nightlies |
Fixes #12932
Requires element-hq/element-desktop#67