tryagain@lemmy.ml to lemmy.ml meta@lemmy.ml · 1 year agoI'm going to assume the admins here all have 2FA on their accounts, right?message-squaremessage-square25fedilinkarrow-up156arrow-down12file-text
arrow-up154arrow-down1message-squareI'm going to assume the admins here all have 2FA on their accounts, right?tryagain@lemmy.ml to lemmy.ml meta@lemmy.ml · 1 year agomessage-square25fedilinkfile-text
minus-squarespiderplant@infosec.publinkfedilinkarrow-up3·1 year agoReally curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!
minus-squareTheSaneWriter@lemm.eelinkfedilinkarrow-up3·1 year agoThe servers should theoretically have a way to murder the tokens, but I’m not sure how Lemmy has implemented authentication so I don’t know for sure.
minus-squarespiderplant@infosec.publinkfedilinkarrow-up3·1 year agoLooks like you’re right, admins will just need to update the JWT secret.
minus-squareTheSaneWriter@lemm.eelinkfedilinkarrow-up1·1 year agoThat makes sense. Of course, updating the secret will log everyone out, but that’s a small price to pay to fix an admin breach.
Really curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!
The servers should theoretically have a way to murder the tokens, but I’m not sure how Lemmy has implemented authentication so I don’t know for sure.
Looks like you’re right, admins will just need to update the JWT secret.
That makes sense. Of course, updating the secret will log everyone out, but that’s a small price to pay to fix an admin breach.