New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

刷新token接口的不安全隐患 #820

Open

dangweiwu opened this issue Oct 29, 2024 · 0 comments

Labels

dangweiwu commented Oct 29, 2024

跟踪了一下该框架的token刷新机制，发现存在一些漏洞

刷新token ui接口(post /refreshtoken)与后台服务接口(GET /api/v1/refresh_token)没有对应上，当然前端压根就没有刷新token机制，也就是没有实现无感续期token，所以也就从来没发现接口错了。
后端没有区分业务token与续期token，全都使用同个token，业务token是长时间使用，且容易泄露，一旦拿到业务token就可以调用get /api/v1/refresh_token进行永久续期，这是很大的隐患和漏洞。

既然没有打算实现无感刷新，建议把刷新token接口禁止掉。

github-actions bot added the Inactive label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment