Make sure we cannot register organisation accounts to whereever we like #159
Labels
needs discussion
Things are not clear yet and needs discussion on how to solve/implement
Comments
jaytaph
added
the
needs discussion
|
We can achieve this whitelisting by actually not registering organisation addresses at all.. instead, we "symlink" organisation addresses to regular addresses instead. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are two ways to register an account to a mail server:
it's not possible to register on a server that you don't have permission from with a server token. However, it's possible to register on EACH server as long as you have an organisation token. This means we can register wherever we want with just a (random) organisation token.
In order to mitigate this, we can actually authorize the request by somehow tying the organisation token with the server. THis would result in things like having the organisation token signed by the mail server, but this makes the number of steps to actually register a bit too many.
Instead, we could for now have a sort of "whitelist" on the server. Inside the config, or in redis, we can add a list of organisations which we want to register for. If we register an account with an org-token, we not only check if the org-token is valid, but also check if the org is whitelisted on this server. If not, we cannot register.
THis is for now a sort of fallback until we can come up with something better (maybe OOB between server and organisation?)
The text was updated successfully, but these errors were encountered: