Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[NEW] create a method 'create token' #6807

Merged
merged 3 commits into from
Apr 26, 2017
Merged

[NEW] create a method 'create token' #6807

merged 3 commits into from
Apr 26, 2017

Conversation

ggazzo
Copy link
Member

@ggazzo ggazzo commented Apr 26, 2017

@RocketChat/core

Allowed users (usually admins) can generate access tokens to another user.
Users can generate theirs tokens too.

@ggazzo ggazzo requested review from rodrigok and graywolf336 and removed request for rodrigok April 26, 2017 16:13
graywolf336
graywolf336 suggested changes Apr 26, 2017
View reviewed changes
Copy link
Contributor

@graywolf336 graywolf336 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How exactly would this token be used? Can it be used for the rest api? Can it be used to automatically log in a user on the website?

packages/rocketchat-lib/server/methods/createToken.js Outdated
@@ -0,0 +1,13 @@
Meteor.methods({
createToken({user}) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change this parameter to only show which properties of the user you need. This way the clients calling this real-time method don't need to pass the full user object which in turn makes transmission over the wire faster.

@ggazzo
Copy link
Member Author

ggazzo commented Apr 26, 2017

@graywolf336 I think @rodrigok have a better answer. But I believe the case is a service/integration that uses the API, but we don't want to save passwords to get the token.

@engelgabriel engelgabriel added this to the 0.56.0 milestone Apr 26, 2017
@graywolf336
Copy link
Contributor

Okay. We've had a lot of people expecting the login via the rest api actually logging them into the website, which is why I was asking

@rodrigok rodrigok merged commit b7421ba into RocketChat:develop Apr 26, 2017
@marceloschmidt
Copy link
Member

@RocketChat/core this is a huge security flaw! How's this been approved? So an admin can now create a token for any user and login as them?

@ggazzo ggazzo deleted the create-token branch August 20, 2019 01:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@graywolf336 graywolf336 graywolf336 approved these changes

Assignees

@rodrigok rodrigok

Labels
None yet
Projects
None yet
Milestone
0.56.0
Development

Successfully merging this pull request may close these issues.
5 participants
@ggazzo @graywolf336 @marceloschmidt @rodrigok @engelgabriel