Security Issue in signing a document as any recipient.

[Aman0802]

Issue Description

For signing any document as a recipient, we need to have the token for the recipient. Once we have the token, we can sign as any recipient. Once I get the token for another recipient I would be able to sign as that user. You might think how will one get the token, but when the documents are being listed on the /documents page, I can easily fetch the token of any other recipient from the network tab and go to /sign/[token] page, paste their token and sign as that specific recipient.

Steps to Reproduce

Create a document with multiple recipients to sign. On the /documents page, open the network tab and see the recipients in the api call. Copy the token, and redirect to /sign/[token]. You would be able to sign as that recipient.

Expected Behavior

One should not be able to see the fields and even sign as that recipient, when they come on /sign/[token]. A more secure way needs to be thought of.

Current Behavior

I can sign as any other recipient and complete the document.

Screenshots (optional)

No response

Operating System [e.g., Windows 10]

No response

Browser [e.g., Chrome, Firefox]

No response

Version [e.g., 2.0.1]

No response

Please check the boxes that apply to this issue report.

• I have searched the existing issues to make sure this is not a duplicate.
• I have provided steps to reproduce the issue.
• I have included relevant environment information.
• I have included any relevant screenshots.
• I understand that this is a voluntary contribution and that there is no guarantee of resolution.
• I want to work on creating a PR for this issue if approved

[github-actions]

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

[Aman0802]

I would like to take this up.

[Mythie]

/tip 100

Thanks for catching this! Resolved the issue for recipients being able to see tokens in their inbox, owners on the other hand are allowed to copy signing links to send it via other channels when email doesn't work 😄

[algora-pbc]

@Aman0802: You just got a $100 tip! 👉 Complete your Algora onboarding to collect your payment.

[algora-pbc]

🎉🎈 @Aman0802 has been awarded $100! 🎈🎊

• Share on socials
• Give feedback

[Aman0802]

Thanks! It amazing working on this!