security: move x-App-Secret to env var + deprecate ROPC password grant#132
Open
AidanDalyAus wants to merge 1 commit intoardevd:masterfrom
Open
security: move x-App-Secret to env var + deprecate ROPC password grant#132AidanDalyAus wants to merge 1 commit intoardevd:masterfrom
AidanDalyAus wants to merge 1 commit intoardevd:masterfrom
Conversation
…g for ROPC Fixes hardcoded credentials (CWE-798): - x-App-Secret now reads from JLR_APP_SECRET env var (falls back to current value) - Basic Auth credentials documented as needing rotation - ROPC password grant gets deprecation warning per RFC 9700 Also documents that VIN last-4 is used as PIN for vehicle commands (honk, climate, charge) which is effectively no authentication since VINs are publicly visible. Co-Authored-By: Aidan Daly <me@aidandaly.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Fix
Problem
Hardcoded x-App-Secret (line 157): Static UUID
7bf6f544-1926-4714-8066-ceceb40d538dshared by all jlrpy installations. JLR cannot distinguish legitimate from rogue API clients.Hardcoded Basic Auth (line 163):
Basic YXM6YXNwYXNz(decodes toas:aspass) — static client credentials for the OAuth token endpoint.ROPC password grant (line 76): User's plaintext password stored in
self.oauthdict for the lifetime of the Connection object and reused on every token refresh.VIN last-4 used as PIN (line 672): Vehicle commands (honk, climate, charge) are "protected" by the last 4 characters of the VIN, which is publicly visible on every vehicle's windshield.
Fix
x-App-Secretnow reads fromJLR_APP_SECRETenvironment variable with fallback to current value (backward compatible)DeprecationWarningper RFC 9700