ivatar issueshttps://git.linux-kernel.at/oliver/ivatar/-/issues2018-11-12T15:25:37Zhttps://git.linux-kernel.at/oliver/ivatar/-/issues/14raw_image/<id> should not be accessible to _every_ logged in user2018-11-12T15:25:37ZOliver Falkoliver@linux-kernel.atraw_image/<id> should not be accessible to _every_ logged in userAt the moment the raw/original image can be access by every logged in person, this poses a bit of a security leak. Eg. https://avatars.linux-kernel.at/accounts/raw_image/12At the moment the raw/original image can be access by every logged in person, this poses a bit of a security leak. Eg. https://avatars.linux-kernel.at/accounts/raw_image/12Go-LiveOliver Falkoliver@linux-kernel.atOliver Falkoliver@linux-kernel.athttps://git.linux-kernel.at/oliver/ivatar/-/issues/95Logout leading to HTTP error 4052024-01-16T14:00:42ZOliver Falkoliver@linux-kernel.atLogout leading to HTTP error 405Django 5 deprecated logout via GET request - only POST is allowed.
Reference: https://docs.djangoproject.com/en/5.0/releases/5.0/#features-removed-in-5-0
Also partially outlined here: https://codereviewdoctor.medium.com/3-awesome-django...Django 5 deprecated logout via GET request - only POST is allowed.
Reference: https://docs.djangoproject.com/en/5.0/releases/5.0/#features-removed-in-5-0
Also partially outlined here: https://codereviewdoctor.medium.com/3-awesome-django-4-1-changes-1-is-a-logout-deprecation-you-need-to-know-about-1d8166ccbdb2
This needs to be fixed in navigation and home pages.https://git.linux-kernel.at/oliver/ivatar/-/issues/84Support for self signed certificates - openid2022-12-30T12:25:48ZMinecraftchest1Support for self signed certificates - openidWhen logging in with an openid connect provider that uses a self-signed cert (such as a self-hosted keycloak install), the following error is generated.
```
OpenID discovery failed: Error fetching XRDS document: <urlopen error [SSL: CERT...When logging in with an openid connect provider that uses a self-signed cert (such as a self-hosted keycloak install), the following error is generated.
```
OpenID discovery failed: Error fetching XRDS document: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056)>
```
![image](/uploads/17c6d103dfd7481a10b29287aabbb858/image.png)Oliver Falkoliver@linux-kernel.atOliver Falkoliver@linux-kernel.athttps://git.linux-kernel.at/oliver/ivatar/-/issues/74Reduce profile data2021-09-10T11:07:35ZGhost UserReduce profile dataIn order to encourage privacy by design, I would recommend to reduce the information that is hold on in the account data.
In explicit, I would recommend/encourage to get rid of the actual identity strings and replace them with aliases a...In order to encourage privacy by design, I would recommend to reduce the information that is hold on in the account data.
In explicit, I would recommend/encourage to get rid of the actual identity strings and replace them with aliases and only store the hashed version.
[As we recently saw with gravatar](https://www.bleepingcomputer.com/news/security/online-avatar-service-gravatar-allows-mass-collection-of-user-info/) vulnerabilities allow account enumeration and like in worst case. This is not necessary when one takes some trade-offs.
We can just store the hash of most identities in the database. There should be a primary identity that is used as an emergency contact, but otherwise identities should just get an alias field that is used as their UI identifier and otherwise be stored in form of a hash. This reduces the ability to collect mail addresses and OpenIDs even when the database would be breached.
From a workflow perspective it's not necessary to store an identity after successful verification as all further actions are performed with the hash only.Oliver Falkoliver@linux-kernel.atOliver Falkoliver@linux-kernel.at