Security vunerability on clusters
I will describe this offline.
Migration of credentials has been added to the develop branch
That sounds good.
In the case of a shared cache folder, I would not want to perform migration since it may contain stored credentials to which the current user should not have access.
Here is what I can do:
1. If the cache location is same as the default location defined in our code, migrate the credentials.
2. Always delete the old .session file regardless of the cache's location.
Users that use a shared cache directory will still have to reenter passwords but hopefully covers the use case for most users.
I see two issues with the user experience:
1) I am now being prompted for my password even though I already stored by credentials. If I didn't know what was going on, I would be very leary of inputing my password and wonder why Synapse "broke" also, most users will most likely not remember how they stored their credentials in the first place.
2) Even though my credentials are getting stored in a new location my old credentials still remain in the .synapseCache/.session. This leaves the vulnerability open to everyone who is only upgrading.
I suggest we should migrate the storage location of the credentials for the user if they already have them cached.
I removed the unused import. can you try validating again, please?