Headline
CVE-2022-2306: Correctly console session token on all logouts. (#875) · heroiclabs/nakama@ce8d392
Old session tokens can be used to authenticate to the application and send authenticated requests.
@@ -86,6 +86,14 @@ service Console { }; }
// Log out a session and invalidate the session token. rpc AuthenticateLogout (AuthenticateLogoutRequest) returns (google.protobuf.Empty) { option (google.api.http) = { post: "/v2/console/authenticate/logout", body: “*” }; }
// Add a new console user. rpc AddUser (AddUserRequest) returns (google.protobuf.Empty) { option (google.api.http) = { @@ -504,6 +512,12 @@ message AuthenticateRequest { string password = 2; }
// Log out a session and invalidate a session token. message AuthenticateLogoutRequest { // Session token to log out. string token = 1; }
// API Explorer request definition for CallApiEndpoint message CallApiEndpointRequest { string method = 1;
Related news
Old session tokens can be used to authenticate to the application and send authenticated requests.