Remove the undocumented login-with-token page

There are several problems with this feature: 1. To use it, you have to put the user's token in the URL. This token lasts forever (unless the user explicitly logs out), so it is nearly as sensitive as the user's password. Embedding such sensitive information in the URL is problematic, because URLs are saved in the browser history, dumped to server logs and displayed on the screen, none of which are secure locations. A user could also accidentally share a URL with an embedded token. 2. If an attacker can get a user to follow a malicious link, they could forcibly log that user into the attacker's account (AKA "login CSRF"). This by itself is just a nuisance, but the attacker could potentially use this to trick the victim into, for example, uploading confidential data to the attacker's account. 3. By design, it requires the use of token authentication, whose drawbacks I have explained in cvat-ai#8289. In fairness, when originally implemented, this feature set the session cookie rather than the token, but this cannot work if the user is already logged in, as the `sessionid` cookie is marked `HTTPOnly` and cannot be overridden by JavaScript. So the only way for this feature to work in all circumstances is to set the token. Generally, the use cases of this feature are better served by single sign-on protocols, which don't suffer from these drawbacks.
SpecLad · Aug 22, 2024 · f3ebea1 · f3ebea1
1 parent 3fdb032
commit f3ebea1
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 55 deletions.
diff --git a/changelog.d/20240822_134319_roman_rm_login_with_token.md b/changelog.d/20240822_134319_roman_rm_login_with_token.md
@@ -0,0 +1,4 @@
+### Removed
+
+- Removed the `/auth/login-with-token` page
+  (<https://github.com/cvat-ai/cvat/pull/8336>)
diff --git a/cvat-ui/package.json b/cvat-ui/package.json
@@ -1,6 +1,6 @@
 {
   "name": "cvat-ui",
-  "version": "1.64.6",
+  "version": "1.65.0",
   "description": "CVAT single-page application",
   "main": "src/index.tsx",
   "scripts": {

diff --git a/cvat-ui/src/components/cvat-app.tsx b/cvat-ui/src/components/cvat-app.tsx
@@ -17,7 +17,6 @@ import Text from 'antd/lib/typography/Text';
 
 import LogoutComponent from 'components/logout-component';
 import LoginPageContainer from 'containers/login-page/login-page';
-import LoginWithTokenComponent from 'components/login-with-token/login-with-token';
 import RegisterPageContainer from 'containers/register-page/register-page';
 import ResetPasswordPageConfirmComponent from 'components/reset-password-confirm-page/reset-password-confirm-page';
 import ResetPasswordPageComponent from 'components/reset-password-page/reset-password-page';
@@ -501,11 +500,6 @@ class CVATApplication extends React.PureComponent<CVATAppProps & RouteComponentP
                                 <Layout.Content style={{ height: '100%' }}>
                                     <ShortcutsDialog />
                                     <Switch>
-                                        <Route
-                                            exact
-                                            path='/auth/login-with-token/:token'
-                                            component={LoginWithTokenComponent}
-                                        />
                                         <Route exact path='/auth/logout' component={LogoutComponent} />
                                         <Route exact path='/projects' component={ProjectsPageComponent} />
                                         <Route exact path='/projects/create' component={CreateProjectPageComponent} />
@@ -590,11 +584,6 @@ class CVATApplication extends React.PureComponent<CVATAppProps & RouteComponentP
                             <Route exact path='/auth/email-verification-sent' component={EmailVerificationSentPage} />
                             <Route exact path='/auth/incorrect-email-confirmation' component={IncorrectEmailConfirmationPage} />
                             <Route exact path='/auth/login' component={LoginPageContainer} />
-                            <Route
-                                exact
-                                path='/auth/login-with-token/:token'
-                                component={LoginWithTokenComponent}
-                            />
                             {isPasswordResetEnabled && (
                                 <Route exact path='/auth/password/reset' component={ResetPasswordPageComponent} />
                             )}

diff --git a/cvat-ui/src/components/login-with-token/login-with-token.tsx b/cvat-ui/src/components/login-with-token/login-with-token.tsx
diff --git a/tests/cypress/e2e/actions_users/issue_1810_login_logout.js b/tests/cypress/e2e/actions_users/issue_1810_login_logout.js
@@ -58,24 +58,6 @@ context('When clicking on the Logout button, get the user session closed.', () =
             cy.contains('.cvat-task-details-task-name', `${taskName}`).should('be.visible');
         });
 
-        it('Logout and login to task via token', () => {
-            cy.logout();
-            // get token and login to task
-            cy.request({
-                method: 'POST',
-                url: '/api/auth/login',
-                body: {
-                    username: Cypress.env('user'),
-                    email: Cypress.env('email'),
-                    password: Cypress.env('password'),
-                },
-            }).then(async (response) => {
-                const token = response.body.key;
-                cy.visit(`/auth/login-with-token/${token}?next=/tasks/${taskId}`);
-                cy.contains('.cvat-task-details-task-name', `${taskName}`).should('be.visible');
-            });
-        });
-
         it('Login via email', () => {
             cy.logout();
             login(Cypress.env('email'), Cypress.env('password'));