Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add nonce validation to SessionService #766

Merged
merged 9 commits into from
May 10, 2022
Merged

Add nonce validation to SessionService #766

merged 9 commits into from
May 10, 2022

Commits on Feb 7, 2022

  1. Add NonceService to validate nonces

    @rob-3
    rob-3 committed Feb 7, 2022
    Configuration menu
    Copy the full SHA
    16d4d17 View commit details
    Browse the repository at this point in the history

Commits on Feb 8, 2022

  1. Merge branch 'dev/v3-2-0' into nonce

    @rob-3
    rob-3 committed Feb 8, 2022
    Configuration menu
    Copy the full SHA
    9cce2c2 View commit details
    Browse the repository at this point in the history

Commits on Feb 9, 2022

  1. Add type annotations and reformat

    @rob-3
    rob-3 committed Feb 9, 2022
    Configuration menu
    Copy the full SHA
    0b329af View commit details
    Browse the repository at this point in the history

  2. Store nonce in session

    @rob-3
    rob-3 committed Feb 9, 2022
    Configuration menu
    Copy the full SHA
    81b1e8e View commit details
    Browse the repository at this point in the history

  3. Update nonce to use supported doctrine method

    @rob-3
    rob-3 committed Feb 9, 2022
    Configuration menu
    Copy the full SHA
    682e37e View commit details
    Browse the repository at this point in the history

Commits on Feb 15, 2022

  1. Remove debugging statement

    @rob-3
    rob-3 committed Feb 15, 2022
    Configuration menu
    Copy the full SHA
    7c0da8f View commit details
    Browse the repository at this point in the history

Commits on Feb 16, 2022

  1. Move NonceService functionality to SessionService 

    Fixes ucfopen#728.

This implements nonce functionality to prevent replay attacks on UDOIT.
I've never implemented nonce functionality before, so the below code
may contain security issues I'm ignorant of, but I gave it my best shot
based on what I could find online. Essentially, by sending the random
nonce back and forth, we can prevent an attacker from resending an
encrypted POST request with potentially bad consequences, because the
nonce can only be used once.
    @rob-3
    rob-3 committed Feb 16, 2022
    Configuration menu
    Copy the full SHA
    07a11ea View commit details
    Browse the repository at this point in the history

  2. Merge branch 'dev/v3-3-0' into nonce

    @rob-3
    rob-3 committed Feb 16, 2022
    Configuration menu
    Copy the full SHA
    3e308a6 View commit details
    Browse the repository at this point in the history

Commits on Mar 1, 2022

  1. Merge branch 'dev/v3-3-0' into nonce

    @rob-3
    rob-3 committed Mar 1, 2022
    Configuration menu
    Copy the full SHA
    77ecd78 View commit details
    Browse the repository at this point in the history