I have two apps using the same Accounts server. I can login on one , use the login token to login on the other app. Works fine
so if I have login on accounts.example.com ,get the token and redirect to music.example.com/login?tok=tokenId , call Meteor.loginWithToken with that token
and redirect finally to target address music.example.com/dashboard
So the question is, is it ‘nice’ exposing that token in the url for a while?
Or anyone knows the best way to achieve this aim ?
That should be ok.
The reason is that the login token is already sent to the browser and held in localStorage. So it shouldn’t be any issue if you put it in the URL as well. I know in PHP you can run the whole session by putting the login token in the URL.
It could make accidentally sharing it a problem. I’m not aware of any solution that I’d swear by, but you could use a temporary one time use token, and some communication between the servers to validate that token, and then transfer the user token server to server. To avoid a URL that that user could grab you could post that temporary one use token to the new server, instead of linking a static link.
I can’t swear this is a good architecture, as I’d have to think it through more.
There are a ton of articles dealing with XSS session hijacking you may want to read up on https://www.google.com/search?q=xss+session+hijacking&oq=XSS+session+h&aqs=chrome.0.0j69i57.4559j0j7&sourceid=chrome&ie=UTF-8
It would be a security risk in case someone is snooping the wi-fi connection and knows that you are exposing the the loginToken on the URL. Additionally, that URL can be used multiple times.
The right solution here would be to create a document that holds the token inside of it, and to write a Method that a) checks for the document and returns the loginToken embedded with-in it and b) removes that document.
Another thing to watch out for:
How it is persisted in server logs etc, and how those are handled.
Thanks guys! I’ll be using internal app communication