APIs & Integrations

tclark228
Member

Security Issue - Deleted user's OAuth tokens still able to refresh, access some endpoints on portal

From what I can tell existing OAuth tokens (access & refresh) for users that are removed from the portal are still able to access some endpoints even after the user is removed from the portal
Hubspot should, instead, deny token refreshes altogether for users who are removed from the portal that the access token has access to. This is a pretty big security concern for us and our mutual customers

Steps to reproduce:

- Create a Superadmin user
- Authenticate an OAuth app with a given Superadmin

- Verify access to endpoints

- Delete the Superadmin from the portal they authenticated to 

- Call GET/crm/v3/objects/contacts - note 200 response w/ customer data is returned

- Call GET/contacts/v1/lists/recently_updated/contacts/recent - note 400 response w/ error message "User <someuserId> does not have permissions on portal <someportalId>"
- This occurs perpetually even after the token is refreshed

0 Upvotes
3 Replies 3
tclark228
Member

Security Issue - Deleted user's OAuth tokens still able to refresh, access some endpoints on portal

Thanks for the response @JPanama 


When you authorise an app using OAuth, the authentication is for the portal, rather than for the user

 If this is true then I would not expect GET/contacts/v1/lists/recently_updated/contacts/recent  to fail w/ a 400

0 Upvotes
JPanama
HubSpot Moderator
HubSpot Moderator

Security Issue - Deleted user's OAuth tokens still able to refresh, access some endpoints on portal

Thanks @tclark228


I see what you mean. OAuth is definitely portal based, but that response is odd. Can you drop me a DM and we can take a look at this in the context of one of the affected portals?

 

Best, 

Joe

0 Upvotes
JPanama
HubSpot Moderator
HubSpot Moderator

Security Issue - Deleted user's OAuth tokens still able to refresh, access some endpoints on portal

Hi @tclark228

 

Thanks for reaching out. Just to confirm I understand you correctly, a User that authorized an App in a portal can still access certain endpoints after being removed from the portal? 

 

That is the expected behaviour for OAuth tokens. When you authorise an app using OAuth, the authentication is for the portal, rather than for the user. The only way to invalidate the access/refresh tokens is to uninstall the integration from the portal.

 

As per our documentation here, it is not expected that refreshing or deleting the token will break this connection. 

 

However, I understand your concern. I'm going to tag in some subject matter experts who might have some guidance on best practices for keeping your OAuth'd connections secure. @JBeatty @LMeert @himanshurauthan 

 

Best, 

Joe (HubSpot Moderator)

0 Upvotes