[
https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Vorburger updated FINERACT-629:
---------------------------------------
Priority: Critical (was: Major)
> Authentication API endpoint forces username and password as URL params
> ----------------------------------------------------------------------
>
> Key: FINERACT-629
> URL: https://issues.apache.org/jira/browse/FINERACT-629
> Project: Apache Fineract
> Issue Type: Improvement
> Components: System
> Reporter: Jose A. Franco
> Priority: Critical
> Labels: security, technical
> Fix For: 1.4.0
>
>
> As documented in the live API documentation available here:
> [https://demo.openmf.org/api-docs/apiLive.htm#authentication]
> Clients must send username and password as URL params of the API endpoint
> {code:java}
> ...
> function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url :
> "authentication?username=" + username + "&password=" + password, type :
> 'POST',
> ...
> {code}
> This could cause issues with credentials leakage if the platform is deployed
> in an environment where there is server-side URL logging. Access to those
> logs would expose passwords.
> Proposed solution is to alternatively allow sending username and password as
> request body or as a header.
>
> Something similar happens with the OAuth endpoint:
> {code:java}
> var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" +
> credentials.username + "&password=" + credentials.password
> +"&client_id=community-app&grant_type=password&client_secret=123
> {code}
> *Solution proposal*
> Alternatively, allow credentials to be sent as part of the request payload.
> It would be less prone to leakage in case there is server-side URL logging.
> For the /authentication endpoint it might make sense as well to support the
> standard Basic Http Auth header already base64-encoded.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
