-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
accessToken leak #12221
Comments
Sorry, I can't get the key issue. Do you means the nacos console is not need And you said the accessToken leak problem. If in nacos console url is leak, only remove in url is not usage, but you also can get it by browser console. If you said client leak the token, you want to leak this token must be catch the tcp package and analyze them. If by this way, you also can get the token in header. So which one is your issue? |
Well, It might be an enhancement for nacos console. See community response and callback, If you or someone want to do this enhancement, can submit a PR to remove it . |
Hi, if you don't have time to address this issue, I'd like to give it a try and work on an optimization. @webapple |
In the url address, accessToken directly appears after the url, resulting in information leakage of the token on the Router. And this API returns all the configuration information.
I already saw accessToken in the header of the request, so adding it to the url parameter is a bit redundant.
http://localhost:9091/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=gtjazgqd_cloud_dev&search=accurate&accessToken=eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJuYWNvcyIsImV4cCI6MTcxODM3NDc0OX0.07Mc9AB1CDRSwEpl_udNBJeZCSFzgZZg6HXdcG1Ilro&username=nacos
The text was updated successfully, but these errors were encountered: