Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add manual confirmation step to prevent unauthorized or accidental device registrations during netbird up #3002

Open
BitPatty opened this issue Dec 8, 2024 · 0 comments
Open

Add manual confirmation step to prevent unauthorized or accidental device registrations during netbird up #3002

BitPatty opened this issue Dec 8, 2024 · 0 comments
Labels
feature-request

Comments

@BitPatty
Copy link

BitPatty commented Dec 8, 2024

Is your feature request related to a problem? Please describe.

The current behavior of netbird up automatically linking a device to the user's account without requiring explicit user confirmation could lead to accidental or unauthorized device registrations if the OAuth provider is misconfigured (i.e., open redirects), as well as in the scenarios of a user having multiple accounts or running netbird up by accident on a device.

Note: Currently, if a user already has an active session the device will be added silently, only showing the confirmation of the device being added after it has already been added because the existing SSO session is reused:

  1. Login to app.netbird.io (or any other scenario in which you need to log in)
  2. Run netbird up
  3. Device is automatically registered

Note 2: Adding a manual confirmation step would provide additional protection against scenarios where an attacker might trick a user into unintentionally authorizing a device.

Describe the solution you'd like

After the user logs in during the netbird up process, display a manual confirmation step in the browser that explicitly asks the user to approve the device before it is linked to their account. Something like:

"A new device is requesting access to your Netbird account [Account Name], Device: [Device Name]. Approve this device?"
[Approve] [Deny]

It should further be considered to require the user to re-confirm their credentials.

Describe alternatives you've considered

  • Sending a notification email after the device is linked, allowing the user to revoke unauthorized devices. While useful, this would not prevent unauthorized registrations in the first place.
  • Relying on the user being aware of the process and carefully managing their actions, which is error-prone and less secure than explicit confirmation.
  • Enabling Peer Approval, while useful for requiring administrator confirmation, is currently limited to the business plan and does not mitigate the risks of open redirects or issues with multiple accounts.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@BitPatty