[tyingq]

Is the unique endpoint "secure/random" enough? I imagine you would end up with some amount of live session cookies, tokens, api keys, and so on, that would have some value for people guessing uris.

Edit: Ahh, missed the JWT pairing. I read "Pastebin for" too literally.

[bozly]

This was definitely a concern... Each unique subdomain is checked for collision before being assigned, so no two users will receive the same endpoint. Additionally, it is assigned with a jwt, so even if someone was to brute force an endpoint that has been assigned to someone else, they would not be authorized to see the request data.

[emiunet]

If I knew somebody else's unique subdomain, I could set my browser cookie on my local computer to that value and it seems to just load the other subdomain just fine. I tested this with 2 different browser on my same laptop. Maybe it won't work if the other person is on another computer?

I could also just set the subdomain to anything I like (by setting the cookie value) and it still works just fine.

Ah no, I can still set the cookie to the other person's subdomain on another machine.

Edit: add extra sentence.

Edit2: format.

[bozly]

Oh boy, that's an embarrassing bug!

Found the issue, and I'm working on fix now

Edit: bug squashed - this should no longer be an issue