App Index should not hard-code notification email address · sandstorm-io/sandstorm#3523

(3 comments) (1 reaction) (0 assignees)JavaScript (6,583 stars) (737 forks)batch import

bite-sizebuggood first issue

Description

So, this is potentially a bit of an information leak for private app developers: If you are hosting your own App Index, and you didn't notice this and edit it before you built it (I'm assuming people build their own App Index SPK at present anyways, since Kenton does not publish the signed one), you will notify the Sandstorm.io folks instead of yourself.

Also, since the official App Index URL is hardcoded here, it's also hard to tell if the email came from the official app index or a private one. I am not sure if there's an equivalent to an offer template or something to have Sandstorm inject a grain-specific return URL to an email, but that'd be nice. At minimum, I'm hoping getPublicId could provide a server-specific URL here instead of a hardcoded one. (I do notice that the from address is a grain-specific address, but I don't think it can be translated to a web-browseable grain URL.)

Ideally, next to the "set up keybase" button, perhaps we could have a textbox to configure a notification address, and if left blank, it could avoid sending emails altogether.

Contributor guide

Tech stack: javascript
Domain: backendsecurity
Issue type: bug
Difficulty: 2
Estimated time: 1-3 hours
Activity status: fresh
Clarity: mostly clear
Prerequisites: basic understanding of email sendingfamiliarity with Sandstorm's App Index
Newbie friendliness: 60
Research direction: Investigate the App Index code to find where the notification email address is hard coded. Look for configuration options or environment variables that could allow customization. Consider adding a textbox to set the notification address, as suggested in the issue. Review any existing email sending utilities in the repository.