Bug #20750: collection sharing tokens shouldn't leak account info of the person sharing (user/currrent) - Arvados

Bug #20750

Serving files through keep web requires the scopes documented at #20249 

 However it would be much better if it did not require 

 "GET /arvados/v1/users/current" 

 Because that means the sharing link can be used to leak personal information about the person sharing it -- their name, email address, any profile information stored on the user record, etc. 

 Either the relevant keep-web (or controller) requests should not require users/current, or we should introduce a new API call which returns only the minimum information and use that. 

 If the primary use of the endpoint is to determine either if the token is valid, or get just the user uuid that is associated with the token, we can already do that with @api_client_authorization/current@.

Back

Project

General

Profile

Arvados

Bug #20750