Improve API security
tobyzerner opened this issue · 2 comments
tobyzerner commented
Currently:
- We expire API tokens after 1 hour
- For tokens created by logging into Flarum's web app, we expire them after 14 days so that the user can be remembered via cookie
- Logging out destroys all tokens
I would like to discuss:
- The benefits of adopting a spec like OAuth2 in our case (JavaScript app can't keep a secret), as opposed to our simple token system.
- Implementing a "sudo mode" for sensitive actions like changing emails, and using any admin function (edit/delete user, admin CP, etc.) This would basically get the user to enter their password in order to obtain a privileged token that is expired after 30 mins.
- Any other things we should do to improve security of the API.
tobyzerner commented
Relevant discussion: http://discuss.flarum.org/d/769-cookie-security
luceos commented
Note: sudo mode is already in progress