All - Thank you Adam for the work. +1 In Fineract, the Self-Service APIs are the backend-for-frontend API endpoints for the end client or customer. Self-service for customers, not back office. If you are using them in production, please let us know here or on the security list. For many organizations, these APIs are ignored - they've built around them.
These APIs are different from the other 800+ APIs in that the user accessing the APIs could be outside of an organizational network. While I would not want to discuss or rehash the discussions we've had on Security @fineract.ao, Ádám Saghy has summarized it here appropriately. And, we are working "in private" per the Apache security norms. As Adam notes this is a preliminary step to deprecate the functionality. Further discussion will be needed. I have noted else-thread, I believe that this functionality needs to be at Fineract but properly done and maintained. [1] I am NOT voting to remove this functionality permanently. I do NOT suggest that it falls to a vendor, but we cannot leave it "as is". We've also tried to make people aware of this in the past on our wiki as well which was circulated each time we announced fixes to CVEs [2] and I've brought it up repeatedly, eg. [3] and [4]. But, if someone wants to evolve this functionality and maintain this, there is still an opportunity here. I would suggest a completely separate module that can be run in a DMZ and with API controls and completely separated authentication mechanisms/namespaces. Please let the dev list know. This also has a relationship with the FSIP: https://cwiki.apache.org/confluence/display/FINERACT/FSIP-1%3A++Modular+Security+Architecture Thanks James [1] https://lists.apache.org/thread/lot59783lj8r4klso7d4mw5jjs7zr6ot [2] https://cwiki.apache.org/confluence/display/FINERACT/Securing+Fineract [3] https://lists.apache.org/thread/8jkv7kcqz62vzom627o2d4nc45y20fs9 [4] https://lists.apache.org/thread/rrmvywcd1qrgnmyp93ngo9ozxgol76yg On Sat, May 17, 2025 at 1:32 PM Javier Borkenztain <jav...@fiter.io> wrote: > For self service functionality are we talking about the role that Mifos > front end is playing ? Or anre we talking of something else? > > On Sat, 17 May 2025 at 4:22 PM Adam Monsen <meonk...@apache.org> wrote: > >> Hi Greg, >> >> On 5/17/25 04:31, Greg Stein wrote: >> > Link to this decision? >> I assume Ádám is simply raising visibility and welcoming discussion >> around https://issues.apache.org/jira/browse/FINERACT-2283 and >> https://github.com/apache/fineract/pull/4671 >> >> FWIW, I strongly agree with the patch and the reasoning behind it. >> "Disabled by default" is a thoughtful, well-timed change re: >> self-service and an overall win security-wise. +1 >> >> Best, >> -Adam >> >
