You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are a few places in the api/ui where Lagoon stores and retrieves files. Currently these are environment backups, task files and insights. The files are retrieved directly from S3 using a signed/short-lived link, meaning no Lagoon authorization is performed once a link is generated.
User may not understand that links used to download these files do not require authentication nor authorization and should be treated securely. The only mitigation if a user exposes the link inadvertently is that it is valid for a short amount of time (currently 5 minutes).
We could inform users of this situation by warning users in the UI. Instead of the download button being a link, it could open a popup with a warning and have the link in there.
Further UX/UI discussion is welcome.
The text was updated successfully, but these errors were encountered:
There are a few places in the api/ui where Lagoon stores and retrieves files. Currently these are environment backups, task files and insights. The files are retrieved directly from S3 using a signed/short-lived link, meaning no Lagoon authorization is performed once a link is generated.
User may not understand that links used to download these files do not require authentication nor authorization and should be treated securely. The only mitigation if a user exposes the link inadvertently is that it is valid for a short amount of time (currently 5 minutes).
We could inform users of this situation by warning users in the UI. Instead of the download button being a link, it could open a popup with a warning and have the link in there.
Further UX/UI discussion is welcome.
The text was updated successfully, but these errors were encountered: