Merge pull request #62 from tidepool-org/gordyd/update-upload-url

Remove user session id from uploadUrl - potential security risk
tidepool-org · Apr 8, 2016 · 1464e5c · 1464e5c
2 parents 8673868 + 2c66edb
commit 1464e5c
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/lib/common.js b/lib/common.js
@@ -104,7 +104,11 @@ module.exports = function (cfg, deps) {
     if (usersToken == null) {
       return null;
     }
-    return makeUploadUrl('', { token: usersToken });
+    // We previously exposed the user's session id here - which we identified as a security risk.
+    // We would have just removed the token query param altogether, but the URl that we direct user's to 
+    // is configured in a way where the token needs to be set for the Chrome Uploader to be launched
+    // So for now we are setting the token to a constant.
+    return makeUploadUrl('', { launchUploader: 'true' });
   }
   /**
    * Set Blip host