I’ve connected multiple statically-served frontends to a single Meteor backend, with no DDP configuration, only pasting the same scripts from the main app into the clients, and a little bit of cross-origin iframe-based token sharing code so that logins/logouts work across all clients, with CORS headers to limit it to my domains. It’s working great! (I’ll make a separate thread on the process)
It turned out to be easy to grab the token from localStorage, then write it into the localStorage of another client (using an iframe). Once this is done, the other client’s Accounts instance automatically picks up the token and logs the user in. Cool!
This also means that it is trivially easy for a browser extension author to grab the token from an app’s localStorage, and then log in as the user in another browser of their own, on any computer.
Of course users should be mindful of extensions they install, and what permissions they’ve allowed. But let’s be honest: we know people that blindly accept permissions because it is so easy and the implications are not clearly stated to them.
If we are building a money-handling app with Meteor, for example, it might be beneficial to try to mitigate this type of exploit. For example imagine if you made a banking app or an app similar to Venmo or Paypal, etc. We wouldn’t want a malicious extension to start to freely send money without permission.
I wonder if there’s a way to detect this type of token theft, to prevent malicious extensions from using the token.
One idea is if a new login is detected at a new IP, require re-authentication. This could get annoying when traveling, unless Meteor can detect a new login vs an existing login. Is detecting new vs existing logins even possible?
Other ideas?