Carts are open to anyone with an email
robconery opened this issue · 2 comments
If I understand this code correctly, any user with an email address can see what's in a given cart simply by adding an email address to a querystring:
This has a number of security ramifications. I would suggest using some type of non-discoverable key (like a GUID) or perhaps using anonymous auth with a JWT.
Yes,
This is related to the fake auth, wich currently we have. We are using email as "security token" because we don't have a token provider.
Currently Authorization header has the form Email foo@bar.baz and that makes calls in behalf of foo@bar.baz user.
So as a security point of view you should consider that everything is open.
In the roadmap we have plans to use JWT with a custom provider (for "fake auth") and maybe with a real provider (like AADB2C).
Thx again!
You can accomplish the exact same thing with something that can't be guesses or enumerated. Sending an email as a "security key" through a header isn't something that should be presented in a Microsoft repository. As mentioned in the other thread: customers look at our code for guidance and will often use the patterns we present.
I strong suggest, at the very least, using a non-identifiable, less-guessable value like a GUID.