[SERVER-69957] Test commands using a faked security token of a tenant and check that the requests cannot access the tenant's data. Created: 25/Sep/22 Updated: 15/Mar/23 Resolved: 15/Mar/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Sophia Tan | Assignee: | [DO NOT USE] Backlog - Server Serverless (Inactive) |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Serverless
|
| Participants: |
| Description |
|
We need add some test cases to validate a faked security token cannot access the tenant's data. A faked security token has a valid user name, db and tenant id but the sign is not valid. |
| Comments |
| Comment by Janna Golden [ 15/Mar/23 ] |
|
This work would be better handled in the [Signature Validation for Security Tokens in Serverless|PM-2609] project. |