I've noticed that there is a FindByNameOrEmailAsync() method that takes a tenant ID and userEmaiOrUserName paramater. This is apparently used by the chat service? [I think some "friendship" class or method, if I remember correctly.]
Allowing somone (i.e., a potential hacker) to validate the tenant id and user's email, where they then only need to guess the password, is typically not a good security practice. Is this a potential security vulnerability? Has anyone brought this up before and/or have ASP.NET Zero customers passed security reviews with this API being available?
Thanks in advance for a reply.
-Eric
1 Answer(s)
-
0
Hi @eric_pulaski
This app service can only be consumed by authorized users. You can also disable "chat with host" and "chat with other tenants" features so a tenant can't add another tenant's or host's users as a friend.
