Project

General

Profile

Bug #27817

Root login doesn't require password on new UI

Added by Jayden Mews over 1 year ago. Updated over 1 year ago.

Status:
Done
Priority:
Expected
Assignee:
Lola Yang
Category:
GUI (new)
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Dependant on a related task to be completed
Needs QA:
Yes
Needs Doc:
Yes
Needs Merging:
Yes
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Logged in as root in FreeNAS 11.1 using Firefox doesn't prompt for a password once you logout, in order to log back in.

  1. Login as root
  2. Click logout from left hand menu
  3. Click login from top navigation bar
  4. Click try new BETA ui
  5. You are logged back in as root without being prompted for a password.

This seems like a pretty big security flaw. Once I logout, I should be logged out of all UIs.

If this can't be replicated I'm happy to provide further information, please let me know what you need.


Related issues

Related to FreeNAS - Feature #27990: Add logout method to auth pluginDone
Blocked by FreeNAS - Feature #27961: Authenticate API calls using authorization token headerDone

Associated revisions

Revision efd5b277 (diff)
Added by Erin Clark over 1 year ago

Make app logout when the browser leaves the page

Ticket: #27817

Revision e1902f2d (diff)
Added by Erin Clark over 1 year ago

Make app logout when the browser leaves the page

Ticket: #27817

Revision 2b72852d (diff)
Added by Erin Clark over 1 year ago

Use a 1-minute ttl token with keepalive instead of storing username/password for authentication

Ticket: #27817

History

#1 Updated by Dru Lavigne over 1 year ago

  • Assignee changed from Release Council to Erin Clark
  • Target version set to 11.2-BETA1

Erin: do you know off-hand if this is still an issue in nightlies? If so, please delegate....................................................................................

#2 Updated by Erin Clark over 1 year ago

  • Status changed from Unscreened to Screened

#3 Updated by Erin Clark over 1 year ago

  • Status changed from Screened to 15

were you logged into the new ui prior to these steps?

#4 Updated by Jayden Mews over 1 year ago

Erin Clark wrote:

were you logged into the new ui prior to these steps?

Yes

I don't know how to edit my OP, sorry. Step 1 should say 'login as root in old UI'

#5 Updated by Dru Lavigne over 1 year ago

  • Status changed from 15 to Resolved
  • Target version changed from 11.2-BETA1 to Master - FreeNAS Nightlies

Jayden: let us know if the latest Nightly does not resolve this.

#6 Updated by Erin Clark over 1 year ago

  • Status changed from Resolved to Fix In Progress
  • Priority changed from No priority to Expected
  • Target version changed from Master - FreeNAS Nightlies to 11.2-BETA1

My fix hasn't been pulled into master yet so it might not be, I will make a pull request soon

#7 Updated by Jayden Mews over 1 year ago

Dru Lavigne wrote:

Jayden: let us know if the latest Nightly does not resolve this.

I don't intend to move from the stable train, sorry. Are you not able to replicate on stable?

#8 Updated by Erin Clark over 1 year ago

This should be fixed in 11.2, I am making it where browsing away from the page will log you out, for now just log out of the new ui before going into the old ui

#10 Updated by Erin Clark over 1 year ago

  • Assignee changed from Erin Clark to Lola Yang

#11 Updated by Erin Clark over 1 year ago

  • Status changed from Fix In Progress to Needs Developer Review

#12 Updated by Nick Wolff over 1 year ago

  • File wtf-password-view.png added

#14 Updated by Nick Wolff over 1 year ago

  • File deleted (wtf-password-view.png)

#15 Updated by Dru Lavigne over 1 year ago

  • Status changed from Needs Developer Review to In Progress
  • Assignee changed from Lola Yang to Erin Clark
  • Reason for Blocked set to Other: make note in comments

Erin: it looks like this one is out-of-date with the base branch.

#16 Updated by Erin Clark over 1 year ago

  • Blocked by Feature #27961: Authenticate API calls using authorization token header added

#17 Updated by Erin Clark over 1 year ago

I'm working on a better solution but I need some API work done for it to work. See https://redmine.ixsystems.com/issues/27961

#18 Updated by Dru Lavigne over 1 year ago

  • Reason for Blocked changed from Other: make note in comments to Dependant on a related task to be completed

#19 Updated by Erin Clark over 1 year ago

#20 Updated by Erin Clark over 1 year ago

  • Assignee changed from Erin Clark to Lola Yang

with this commit it should properly use a token instead of keeping the username and password and the token should expire if the user browses away from the ui for more than a minute.

https://github.com/freenas/webui/pull/329

#21 Updated by Dru Lavigne over 1 year ago

  • Status changed from In Progress to Done
  • Target version changed from 11.2-BETA1 to Master - FreeNAS Nightlies

Also available in: Atom PDF