You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This makes it straightforward for unauthorized users to manually alter the IDs (provider=6, service=3, etc.) and enumerate all available providers and services. Such enumeration leads to information disclosure, which can compromise the security and privacy of businesses relying on EasyAppointments.
Proposed Solution
To mitigate this, I propose replacing sequential integer-based IDs with opaque IDs (e.g., UUIDs, hashed identifiers, or similar). This approach would obscure the actual provider and service identifiers, making enumeration significantly harder.
Improved security by preventing easy enumeration of providers and services.
Enhanced privacy for businesses and users.
Maintains backward compatibility if implemented with a fallback mechanism.
Questions for the Maintainers
Do you agree that this is a valid security concern worth addressing?
Would you be open to implementing opaque IDs for provider and service parameters?
If this aligns with your vision for the project, would you like me to contribute a solution via a pull request, or do you prefer to implement it internally?
Additional Notes
Possible approaches could include generating UUIDs or hashing existing database IDs (e.g., using HMAC with a secret key).
If backward compatibility is a concern, legacy sequential IDs can still be supported temporarily.
Thank you for maintaining this excellent project. I look forward to hearing your thoughts and would be happy to assist in implementing this feature if needed!
The text was updated successfully, but these errors were encountered:
The Problem
The current URL structure for booking services in EasyAppointments exposes
provider
andservice
IDs directly in the query parameters. For instance:This makes it straightforward for unauthorized users to manually alter the IDs (
provider=6
,service=3
, etc.) and enumerate all available providers and services. Such enumeration leads to information disclosure, which can compromise the security and privacy of businesses relying on EasyAppointments.Proposed Solution
To mitigate this, I propose replacing sequential integer-based IDs with opaque IDs (e.g., UUIDs, hashed identifiers, or similar). This approach would obscure the actual
provider
andservice
identifiers, making enumeration significantly harder.For example:
Instead of:
It could be:
Benefits
Questions for the Maintainers
provider
andservice
parameters?Additional Notes
Thank you for maintaining this excellent project. I look forward to hearing your thoughts and would be happy to assist in implementing this feature if needed!
The text was updated successfully, but these errors were encountered: