-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create sessiontoken.csr #713
base: master
Are you sure you want to change the base?
Conversation
The sessiontoken app, developped by Octopuce for Nextcloud gives an API endpoint to ask for sessiontoken for any user, similar to impersonate, but via an API. It's used to migrate nextcloud accounts massively or to access nextcloud accounts from other apps Signed-off-by: Benjamin Sonntag <benjamin@octopuce.fr>
@vincib we are not really sure it would be a good idea to have such an app published in the app store. The purpose of the app is enabling mass impersonating of users by administrators if I understand it correctly. We are not so sure that has a general interest that would justify having it on the appstore. What do you think ? |
Hello Matthieu, I think about that issue the other way around: having good tools around an application is a good sign that it will be able to serve their user well. To me, a free software is useful when it has 2 main characteristics:
Nextcloud, as of today, fit those 2 well! As of Nextcloud, I don't know how I would be able to serve my users in the Nextcloud without the Impersonate app: the users know I can act on their behalf, and they are glad I can do that, since it means I'll be able to help them. The sessiontoken app is used in two main cases as of today:
Also, the sessiontoken app creates token in NC the "standard way" so the user can SEE the token in their "security" tab. I'd just suggest that the end user of a NC instance should KNOW when the impersonate app is installed (maybe in the security tab too?) Also, final point: if an admin (having ssh access to the NC instance) want to abuse their users, they can always install the impersonate app, whether it is in the app store or not... hiding it from the appstore would not protect anyone from rogue admins... |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vincib we took some time to think again at the situation.
We would like to suggest that you should feel free to reach to us to discuss improvements to your solution.
You could use our forum https://help.nextcloud.com/
You could reach out via Talk community room https://cloud.nextcloud.com/call/xs25tz5y
We are concerned by this application from a security point of view. Those concerns are not big enough that we will block this app certificate request. We would still ask you to add some disclaimer to your readme giving context that more secure options are also existing.
As I said, we are eager to discuss this in a more direct with you and to resolve any issue.
Let me also remind you that we are organizing a conference very soon that may be interesting for you.
Do you consider joining us ?
https://nextcloud.com/blog/nextcloud-conference-2024/
The sessiontoken app, developped by Octopuce for Nextcloud gives an API endpoint to ask for sessiontoken for any user, similar to impersonate, but via an API. It's used to migrate nextcloud accounts massively or to access nextcloud accounts from other apps
The sourcecode is available here
https://octoforge.fr/octopuce/sessiontoken