mirror of
https://github.com/urbit/shrub.git
synced 2024-12-19 16:51:42 +03:00
ef89cf2410
Instead of doing formal network traffic on the host-side whenever a login attempt gets initiated, we now do it no earlier than when we're on the client-side. This has the important property that network traffic can only be initiated by authenticated HTTP requests. The previous implementation, where hosts sent pleas when an unauthenticated HTTP client said then wanted to log in, was vulnerable to abuse. So now, formally, the eauth flow starts at the client's confirmation screen. There is an optional step preceding this, where an attempt is started on the host (and data is still stored for this), but to get the redirect target, the host uses remote scry to get the eauth URL out of the client ship. Hosts now also give attempt-specific return URLs, useful in case they are accessible (or even serving different content) from different hostnames. |
||
|---|---|---|
| .. | ||
| arvo | ||
| autoprop | ||
| base-dev | ||
| herb | ||
| interface | ||
| landscape | ||
| symbolic-merge.sh | ||