Update security docs for the new feed token

spiral-project · Jul 28, 2023 · 4d3bcf6 · 4d3bcf6
1 parent ad5b108
commit 4d3bcf6
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 14 deletions.
diff --git a/docs/security.md b/docs/security.md
@@ -11,18 +11,19 @@ expenses in the first place!
 That being said, there are a few mechanisms to limit the impact of a
 malicious member and to manage changes in membership (e.g. ensuring that
 a previous member can no longer access the project). But these
-mechanisms don\'t prevent a malicious member from breaking things in
+mechanisms don't prevent a malicious member from breaking things in
 your project!
 
 ## Security model
 
-A project has three main parameters when it comes to security:
+A project has four main parameters when it comes to security:
 
 -   **project identifier** (equivalent to a \"login\")
 -   **private code** (equivalent to a \"password\")
--   **token** (cryptographically derived from the private code)
+-   **auth token** (cryptographically derived from the private code)
+-   **feed token** (also cryptographically derived from the private code)
 
-Somebody with the private code can:
+Somebody with the **private code** can:
 
 -   access the project through the web interface or the API
 -   add, modify or remove bills
@@ -31,7 +32,7 @@ Somebody with the private code can:
 -   change the email address associated to the project
 -   change the private code of the project
 
-Somebody with the token can manipulate the project through the API to do
+Somebody with the **auth token** can manipulate the project through the API to do
 essentially the same thing:
 
 -   access the project
@@ -40,10 +41,13 @@ essentially the same thing:
 -   change the email address associated to the project
 -   change the private code of the project
 
-The token can also be used to build \"invitation links\". These links
+The auth token can also be used to build "invitation links". These links
 allow to login on the web interface without knowing the private code,
 see below.
 
+Somebody with the **feed token** can only access a read-only view of the project
+through a RSS feed (at `/<project_id>/feed/<token>.xml`).
+
 ## Giving access to a project
 
 There are two main ways to give access to a project to a new person:
@@ -57,25 +61,33 @@ The second method is interesting because it does not reveal the private
 code. In particular, somebody that is logged-in through the invitation
 link will not be able to change the private code, because the web
 interface requires a confirmation of the existing private code to change
-it. However, a motivated person could extract the token from the
+it. However, a motivated person could extract the auth token from the
 invitation link, use it to access the project through the API, and
 change the private code through the API.
 
 ## Removing access to a project
 
 If a person should no longer be able to access a project, the only way
-is to change the private code.
+is to change the private code for the whole project.
+
+This will prevent anybody from logging in with the old private code.
+However, anybody with an existing session cookie will still have
+access to the project.  This is a [known issue](https://github.com/spiral-project/ihatemoney/issues/857)
+that should be fixed.
+
+Changing the private code will automatically change the auth token:
+old invitation links won't work anymore, and anybody with the old token
+will no longer be able to access the project through the API.
 
-This will also automatically change the token: old invitation links
-won\'t work anymore, and anybody with the old token will no longer be
-able to access the project through the API.
+This will also automatically change the feed token, so that existing
+links to the RSS feed for the project will no longer work.
 
 ## Recovering access to a project
 
 If the private code is no longer known, the creator of the project can
 still recover access. He/she must have provided an email address when
 creating the project, and Ihatemoney can send a reset link to this email
-address (classical \"forgot your password\" functionality).
+address (classical "forgot your password" functionality).
 
 Note, however, that somebody with the private code could have changed
 the email address in the settings at any time.

diff --git a/ihatemoney/models.py b/ihatemoney/models.py
@@ -479,8 +479,8 @@ def verify_token(token, token_type="auth", project_id=None, max_age=3600):
         :param token_type: Either "auth" for authentication (invalidated when project code changed),
                         or "reset" for password reset (invalidated after expiration),
                         or "feed" for project feeds (invalidated when project code changed)
-        :param project_id: Project ID. Used for token_type "auth" to use the password as serializer
-                        secret key.
+        :param project_id: Project ID. Used for token_type "auth" and "feed" to use the password
+                        as serializer secret key.
         :param max_age: Token expiration time (in seconds). Only used with token_type "reset"
         """
         loads_kwargs = {}