OAuth is broken #1445
Comments
|
Restoring OAuth to its former functionality is just a couple of quick fixes, but I’ve taken it down in production (503 with an error message) for a security review because it does a few things I’m uncomfortable with – so any upcoming pull requests and discussion that reveal weaknesses aren’t exploitable. |
|
Another issue with the current implementation: OAuth consumers aren’t revocable (or visible!) until the authorization code is exchanged for a token, the timing of which is controlled by a potentially malicious party up to 10 minutes from user approval. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Unverified, but this looks like it’s critical to authentication and not compatible with the current version of Arrow:
weasyl/libweasyl/oauth.py
Line 100 in 139fbae
Would help explain why there haven’t been any active OAuth clients since August 2018…
Luckily, if it’s already been broken for a long time, that gives us an opportunity to make breaking changes:
#304 remains important.
The text was updated successfully, but these errors were encountered: