Add username sanity check on vault save to prevent db corruption between user sessions #481
Labels
enhancement
New feature or request
Comments
lanedirt
changed the title
lanedirt
added a commit
that referenced
this issue
Dec 19, 2024
lanedirt
added a commit
that referenced
this issue
Dec 19, 2024
lanedirt
added a commit
that referenced
this issue
Dec 19, 2024
lanedirt
added a commit
that referenced
this issue
Dec 19, 2024
lanedirt
added a commit
that referenced
this issue
Dec 19, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When you are logged into one account, then on another tab in the same browser session attempt to logout and login with a different account, corruption can occur when trying to save a vault on the original tab. This is because only one session is supported within a browser at a time.
When a user would try to update and save their vault on the original tab it will try to save an encrypted database blob to another user that will no longer be able to get decrypted because of different encryption keys used.
To prevent this we should add a username sanity check on all vault save actions so the client provides the username that is the owner of the encrypted vault blob. If this provided username does not match the actual username of the currently logged in user (as determined by API access token) the update should be rejected.
The text was updated successfully, but these errors were encountered: