Jose A. Franco created FINERACT-629:
---------------------------------------
Summary: Authentication API endpoint forces username and password
as URL params
Key: FINERACT-629
URL: https://issues.apache.org/jira/browse/FINERACT-629
Project: Apache Fineract
Issue Type: Improvement
Components: System
Reporter: Jose A. Franco
As documented in the live API documentation available here:
[https://demo.openmf.org/api-docs/apiLive.htm#authentication]
Clients must send username and password as URL params of the API endpoint
{code:java}
...
function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url :
"authentication?username=" + username + "&password=" + password, type : 'POST',
...
{code}
This could cause issues with credentials leakage if the platform is deployed in
an environment where there is server-side URL logging. Access to those logs
would expose passwords.
Proposed solution is to alternatively allow sending username and password as
request body or as a header.
Something similar happens with the OAuth endpoint:
{code:java}
var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" +
credentials.username + "&password=" + credentials.password
+"&client_id=community-app&grant_type=password&client_secret=123
{code}
*Solution proposal*
Alternatively, allow credentials to be sent as part of the request payload. It
would be less prone to leakage in case there is server-side URL logging.
For the /authentication endpoint it might make sense as well to support the
standard Basic Http Auth header already base64-encoded.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
