Subversion Repositories oidplus

Where is SERVER_SECRET being used?

----------------------------------

System:

- Auth content Store

	OIDplusAuthContentStoreJWT.class: Key to sign JWT tokens (used for Automated AJAX requests) using HMAC

- Session Handler: Encryption of session contents

- Auth utils: Generation of auth keys

	makeAuthKey(data) = sha3_512(SERVER_SECRET + "/AUTHKEY/" + data)

	used at plugin invite RA (ra/092):

		makeAuthKey("activate_ra;" + email + ";" + timestamp)

		= sha3_512(SERVER_SECRET + "/AUTHKEY/activate_ra;" + email + ";" + timestamp)

	used at plugin change RA email (ra/102):

		makeAuthKey("activate_new_ra_email;" + old_email + ";" + new_email + ";" + timestamp)

		= sha3_512(SERVER_SECRET + "/AUTHKEY/activate_new_ra_email;" + old_email + ";" + new_email + ";" + timestamp)

	used at plugin forgot RA password (public/091):

		makeAuthKey("reset_password;" + email + ";" + timestamp)

		= sha3_512(SERVER_SECRET + "/AUTHKEY/reset_password;" + email + ";" + timestamp)

	used at plugin ViaThinkSoft FreeOID activation (public/200):

		makeAuthKey("com.viathinksoft.freeoid.activate_freeoid;" + email + ";" + timestamp)

		= sha3_512(SERVER_SECRET + "/AUTHKEY/com.viathinksoft.freeoid.activate_freeoid;" + email + ";" + timestamp)

Plugin WHOIS (public/100):

- Authentication token for hidden OIDs = smallhash(SERVER_SECRET + "/WHOIS/" + id);

Plugin VNag version check (admin/901):

- Webreader password = sha3_512(SERVER_SECRET + "/VNAG")

Plugin automated AJAX calls (admin/910):

- Unlock key (to avoid brute force attacks) = sha3_512("ANTI-BRUTEFORCE-AJAX/admin/" + SERVER_SECRET)

Plugin automated AJAX calls (ra/910):

- Unlock key (to avoid brute force attacks) = sha3_512("ANTI-BRUTEFORCE-AJAX/" + email + "/" + SERVER_SECRET)