duckietm/Nitro-V3
1
0
Fork 0
mirror of https://github.com/duckietm/Nitro-V3.git synced 2026-06-19 15:06:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: don't dump the SSO ticket in the prepare() diagnostic log

Browse Source 
The `[App] prepare() start` console.warn was including the full SSO
ticket from `window.location.search`. SSO tickets are one-shot bearer
credentials — any leak (copied logs in a bug report, screen share,
malicious browser extension reading console output) grants
single-use access to the user's session. Replace the actual ticket
with a boolean.
This commit is contained in:
medievalshell
2026-05-21 02:23:56 +02:00
parent 0c7814fe04
commit 450b0fface
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/App.tsx
+6 -1
View File
@@ -477,11 +477,16 @@ export const App: FC<{}> = props =>
{ {
const prepare = async (width: number, height: number) => const prepare = async (width: number, height: number) =>
{ {
// Don't dump the actual SSO ticket — it's a one-shot bearer
// credential that grants access to the user's session, so
// logging it in console.warn would leak it via copied logs
// / screen shares / browser extension hooks. Boolean flag is
// enough for the diagnostic.
console.warn('[App] prepare() start', { console.warn('[App] prepare() start', {
hasNitroConfig: !!window.NitroConfig, hasNitroConfig: !!window.NitroConfig,
ssoTicketInConfig: !!window.NitroConfig?.['sso.ticket'], ssoTicketInConfig: !!window.NitroConfig?.['sso.ticket'],
hasRememberLocal: !!GetRememberLogin(), hasRememberLocal: !!GetRememberLogin(),
urlSso: new URLSearchParams(window.location.search).get('sso') hasUrlSso: !!new URLSearchParams(window.location.search).get('sso')
}); });
const bootLabel = taskLabel('loading.task.boot', 'Avvio in corso...'); const bootLabel = taskLabel('loading.task.boot', 'Avvio in corso...');