starred/webvirtcloud
1
0
Fork 0
mirror of https://github.com/retspen/webvirtcloud.git synced 2026-04-25 07:25:53 +03:00
Code Issues 199 Projects Releases 1 Packages Wiki Activity

[GH-ISSUE #374] Feature request: dynamic tokens for webvnc console link #235

New issue
Closed
opened 2026-02-27 15:57:55 +03:00 by kerem · 4 comments
kerem commented 2026-02-27 15:57:55 +03:00
Owner
Copy link

Originally created by @lord-kyron on GitHub (Oct 15, 2020).
Original GitHub issue: https://github.com/retspen/webvirtcloud/issues/374

@Real-Gecko @catborise - can you guys make the tokens on the webvnc console link (the token in the browser link) to STOP to be static (per vm) and to be generated automatically dinamic every time a new webvnc console is requested. This way it will prevent a person knowing the exact link (including the token) and open directly the vnc console. If it is dynamic - once you request a webvnc window (from the connect button) a new link and token are generated and once you close the window (the vnc connection) the old token have to expire. What do you think?

Originally created by @lord-kyron on GitHub (Oct 15, 2020). Original GitHub issue: https://github.com/retspen/webvirtcloud/issues/374 @Real-Gecko @catborise - can you guys make the tokens on the webvnc console link (the token in the browser link) to STOP to be static (per vm) and to be generated automatically dinamic every time a new webvnc console is requested. This way it will prevent a person knowing the exact link (including the token) and open directly the vnc console. If it is dynamic - once you request a webvnc window (from the connect button) a new link and token are generated and once you close the window (the vnc connection) the old token have to expire. What do you think?
kerem 2026-02-27 15:57:55 +03:00
kerem commented 2026-02-27 15:57:55 +03:00
Author
Owner
Copy link

@lord-kyron commented on GitHub (Nov 12, 2020):

@catborise - will this be something possible to implement?

<!-- gh-comment-id:725971746 --> @lord-kyron commented on GitHub (Nov 12, 2020): @catborise - will this be something possible to implement?
kerem commented 2026-02-27 15:57:55 +03:00
Author
Owner
Copy link

@catborise commented on GitHub (Nov 20, 2020):

uuid is primary key for instances. it could not change.
if someone has an user credentials he should access any instance.

but there is a glitch i think. someone is not an admin but only a user and it has a uuid info and host info. it could access someone's instance console... i think it is a security issue. we should control if user has ownership or not...

nice catch... my view is that it is a security issue...
we should provide a security to prevent that situation.

<!-- gh-comment-id:731038746 --> @catborise commented on GitHub (Nov 20, 2020): uuid is primary key for instances. it could not change. if someone has an user credentials he should access any instance. but there is a glitch i think. someone is not an admin but only a user and it has a uuid info and host info. it could access someone's instance console... i think it is a security issue. we should control if user has ownership or not... nice catch... my view is that it is a security issue... we should provide a security to prevent that situation.
kerem commented 2026-02-27 15:57:55 +03:00
Author
Owner
Copy link

@lord-kyron commented on GitHub (Nov 20, 2020):

Yes, that was what I meant when i opened this request. I already had traces in the past of someone trying to login on console of one of my VMs.

<!-- gh-comment-id:731220788 --> @lord-kyron commented on GitHub (Nov 20, 2020): Yes, that was what I meant when i opened this request. I already had traces in the past of someone trying to login on console of one of my VMs.
kerem commented 2026-02-27 15:57:55 +03:00
Author
Owner
Copy link

@catborise commented on GitHub (Nov 20, 2020):

It is fixed . If someone is not owner of instance and not a superuser, cannot access Console even if he has uuid and host number

<!-- gh-comment-id:731232608 --> @catborise commented on GitHub (Nov 20, 2020): It is fixed . If someone is not owner of instance and not a superuser, cannot access Console even if he has uuid and host number
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
v1.0
Labels
Clear labels   
bug

   
enhancement

   
pull-request

Mirrored from GitHub Pull Request

No labels
bug
enhancement
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/webvirtcloud#235
No description provided.