Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SECURITY: package settings (including secrets) accessible via client #308

Closed
evliu opened this issue Feb 4, 2015 · 2 comments
Closed

SECURITY: package settings (including secrets) accessible via client #308

evliu opened this issue Feb 4, 2015 · 2 comments
Assignees

Comments

@evliu
Copy link
Contributor

evliu commented Feb 4, 2015

Steps to reproduce:

  • start up reaction with reaction-paypal module
  • in browser console, ReactionCore.Collections.Packages.findOne({"name":"reaction-paypal"})

Expected result:

  • not be able to see any sensitive information

Actual result:

  • in package settings, client_id and client_secret are exposed

This can apply to any package

@aaronjudd aaronjudd added this to the Core Architecture milestone Feb 4, 2015
@aaronjudd aaronjudd added the ready label Feb 4, 2015
@aaronjudd
Copy link
Contributor

I had it in my mind to refactor the package / registry mechanism (and possibly ReactionCore) when I made these updates, into a more organized public/private (ala meteor settings). we should address this issue as both a quick patch, and as part of a more extensive approach.

@evliu
Copy link
Contributor Author

evliu commented Feb 4, 2015

  • The payment packages may benefit from moving all Meteor.SomePaymentPackage.someMethod() to standard Meteor.methods, especially in terms of security.
  • Looking forward, to allow multiple payment settings to be stored for different vendors, maybe the settings could even be stored in each Shop collection. The difficulty is that these Shop owners would probably not have access to settings.json if multi-vendor is a possible feature.
  • The ReactionCore.Collections.Packages collection should probably not be published and passed to the client; rather, a utility method could return just what is needed (I'm guessing mainly for the Dashboard, but I'm sure I'm missing many other uses of the Packages collection), but we definitely need to secure it for the backend or just to the admin.

@aaronjudd aaronjudd self-assigned this Feb 13, 2015
aaronjudd added a commit that referenced this issue Dec 3, 2015
Changes that refactor the `ReactionCore.registerPackage`
implementation to a more flexible, and structured template
registry. `ReactionCore.registerPackage` moves to server.
package.registry is published to client.

These are not backwards compatible changes.

Updated documentation at docs/packages.md

Initial commit for issue #314

Strategic updates for Issue #273
Strategic updates for Issue #306
Strategic updates for Issue #305
Strategic updates for Issue #246
Strategic updates for Issue #183
Strategic updates for Issue #155
Strategic updates for Issue #16
Strategic updates for Issue #148

Resolves #53
Resolves #308
Resolves #178

*Remaining tasks*

solve undefined error
convert the rest of the payment packages
context sensitive widgets (context?)
update with detailed docs
(document all the existing "provides")
aaronjudd added a commit that referenced this issue Dec 3, 2015
##package-registry-refactor
Changes that refactor the `ReactionCore.registerPackage`
implementation to a more flexible, and structured template
registry. `ReactionCore.registerPackage` moves to server.
package.registry is published to client.

cycle = Core, Stable, Testing (todo: => correlates package semver)
container = combine multiple registry entries

These are not backwards compatible changes.

Updated documentation at docs/packages.md

Initial commit for issue #314

Strategic updates for Issue #273
Strategic updates for Issue #306
Strategic updates for Issue #305
Strategic updates for Issue #246
Strategic updates for Issue #183
Strategic updates for Issue #155
Strategic updates for Issue #16
Strategic updates for Issue #148
Strategic updates for Issue #146

Resolves #53
Resolves #308
Resolves #178
cmbirk pushed a commit to cmbirk/reaction that referenced this issue Aug 18, 2019
…l-plugin

chore(email-templates): update reaction-plugin-email-templates
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants