I'm using Ember Fastboot and ember-simple-auth with a rails backend, and noticed an unexpected behavior where request headers are sticky and persist between requests by different users:
My app authenticates requests by setting 'Authorization' header with Bearer ${token} in app/authorizers/application.js, which works as expected. However, in Fastboot mode, I've noticed that if I authenticate one user, and then make a request with a logged out user from another machine, Fastboot still includes the HTTP_AUTHORIZATION header and its value of the last logged in user from the first machine.
Not sure if this is expected behavior, or I'm doing something wrong, but this certainly has a security concern where one might get unauthorized access to other users data because Fastboot doesn't flush requests headers.
It seems the issue is with Fastboot itself, as ember-simple-auth doesn't actually authenticate logged out users with the last user's credentials and even when disabling app/authorizers/application.js, Fastboot continues to include HTTP_AUTHORIZATION header of last user.
Restarting Fastboot server does flush request headers.
Aucun commentaire:
Enregistrer un commentaire