6e4e471792
* fix(lib): ensure issued challenges don't get double-spent Closes #1002 TL;DR: challenge IDs were not validated at time of token issuance. A dedicated attacker could solve a challenge once and reuse it across multiple sessons in order to mint additional tokens. With the advent of store based challenge issuance in #749, this means that these challenge IDs are only good for 30 minutes. Websites using the most recent version of Anubis have limited exposure to this problem. Websites using older versions of Anubis have a much more increased exposure to this problem and are encouraged to keep this software updated as often and as frequently as possible. * docs: update CHANGELOG Signed-off-by: Xe Iaso <me@xeiaso.net> --------- Signed-off-by: Xe Iaso <me@xeiaso.net> |
||
|---|---|---|
| .. | ||
| challenge | ||
| localization | ||
| policy | ||
| store | ||
| testdata | ||
| thoth | ||
| anubis.go | ||
| anubis_test.go | ||
| config.go | ||
| config_test.go | ||
| http.go | ||
| http_test.go | ||