tryagain@lemmy.ml to lemmy.ml meta@lemmy.ml · 2 years agoI'm going to assume the admins here all have 2FA on their accounts, right?message-squaremessage-square25fedilinkarrow-up156arrow-down12file-text
arrow-up154arrow-down1message-squareI'm going to assume the admins here all have 2FA on their accounts, right?tryagain@lemmy.ml to lemmy.ml meta@lemmy.ml · 2 years agomessage-square25fedilinkfile-text
minus-squarespiderplant@infosec.publinkfedilinkarrow-up3·2 years agoReally curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!
minus-squareTheSaneWriter@lemm.eelinkfedilinkarrow-up3·2 years agoThe servers should theoretically have a way to murder the tokens, but I’m not sure how Lemmy has implemented authentication so I don’t know for sure.
minus-squarespiderplant@infosec.publinkfedilinkarrow-up3·2 years agoLooks like you’re right, admins will just need to update the JWT secret.
minus-squareTheSaneWriter@lemm.eelinkfedilinkarrow-up1·2 years agoThat makes sense. Of course, updating the secret will log everyone out, but that’s a small price to pay to fix an admin breach.
Really curious to see how they kill the existing tokens, and whether admins have tools to easily clear all sessions. On one of the Matrix chats someone suggested that the tokens have a one year expiry date!
The servers should theoretically have a way to murder the tokens, but I’m not sure how Lemmy has implemented authentication so I don’t know for sure.
Looks like you’re right, admins will just need to update the JWT secret.
That makes sense. Of course, updating the secret will log everyone out, but that’s a small price to pay to fix an admin breach.