Should support empty access key
Closed this issue · 4 comments
FoundryVTT allows for blank access keys
I'd like to be able to use discord oauth only, no access keys at all
When leaving access key blank in user setup, i get a "wrong access key" notification
@Deastrom i could add this functionality but it would potentially be insecure, for example, if you had only discord authentication enabled without an access key then all someone would have to do is be friends with you on discord to log into your foundry instance.
Foundry itself, does not guard against brute force attacks for password authentication. They do not implement any guards revolving around CSRF or modified http requests.
https://portswigger.net/web-security/csrf/tokens
Creating this mod has opened my eyes to some glaring security holes in foundry and I would highly recommend continuing with an access key. Although, if this is a feature you still would like, I can add a feature for it as a configuration option with a disclaimer about security.
that's interesting, i'd figure it would be just the user that you put into your user management considering the username and discord id would have to match. then you'd have to log into your discord and grant the app access. is this not verifying the username/id returned from the oauth call?
@Deastrom (ignore my edit to your comment i clicked the wrong button on this mobile app :P)
It does verify the return on the call, but its missing the other piece which would be on Foundry to implement. The other piece of authorization is JWT authentication on the backend which would ultimately verify the user every 5 minutes or with every call.
I chose not to implement that piece because it would be violating the terms of use for foundry and potentially put myself in the hot seat :<
I did look into it and it wouldnt be that difficult for foundry to implement oauth platforms but it seems as though the developer is currently working on other priorities.
Closing due to stale