API and Websocket Keys Leakage

[Securitybits-io]

The WebUI leaks the RestAPI and Websocket tokens in the javascript source code! These should not be reflected back to the user as that can lead to unintended requests through for example XSS.

API Bearer Token

Websocket Token

[brothercorvo]

@naman108 please verify if that is still the case in the current version

[naman108]

This is definitely still an issue

[naman108]

I think this issue can be reasonably decomposed into three parts:

1. insecure communications between client and server due to HTTP
2. generic web socket key
3. API token in text

1: insecure communications

IMO, this is probably the most relevant factor for the security conscious user as the other two pertain mostly to cases where an attacker already has access to the UI. To address this issue we would need two main changes:

• add automatic UI certificate generation
• add configuration to Flask to use generated certificates

2: Generic Websockets Keys

I think we could reasonably address this by enabling API tokens for use in the web sockets that way every user has a uniquely identifying access token for FTS which can be revoked.

3: API token in text

In general, we expect that the authenticated user knows their API token however clearly this is an issue over HTTP as anyone listening could get access to the API token. This would bring us back to issue 1, where we should provide the user with an easy mechanism to enable HTTPS.

[naman108]

@brothercorvo @Securitybits-io what are your thought's on this?