[jira] [Commented] (FINERACT-629) Authentication API endpoint forces username and password as URL params

Thu, 20 Aug 2020 14:54:25 -0700 


    [ 
https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17181465#comment-17181465
 ] 

Aleksandar Vidakovic commented on FINERACT-629:
-----------------------------------------------

Still a bit strange that it would be enforced like that, because from the top 
of my these parameters are usually sent with form POST (assuming that Spring 
OAuth and Spring Security are used)... but again, maybe I'm missing something 
here. Can help to track this down for the next release.

> Authentication API endpoint forces username and password as URL params
> ----------------------------------------------------------------------
>
>                 Key: FINERACT-629
>                 URL: https://issues.apache.org/jira/browse/FINERACT-629
>             Project: Apache Fineract
>          Issue Type: Improvement
>          Components: System
>            Reporter: Jose A. Franco
>            Priority: Critical
>              Labels: security, technical
>             Fix For: 1.5.0
>
>
> As documented in the live API documentation available here: 
> [https://demo.openmf.org/api-docs/apiLive.htm#authentication]
> Clients must send username and password as URL params of the API endpoint
> {code:java}
> ...
> function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url : 
> "authentication?username=" + username + "&password=" + password, type : 
> 'POST',
> ...
> {code}
> This could cause issues with credentials leakage if the platform is deployed 
> in an environment where there is server-side URL logging. Access to those 
> logs would expose passwords.
> Proposed solution is to alternatively allow sending username and password as 
> request body or as a header. 
>  
> Something similar happens with the OAuth endpoint: 
> {code:java}
> var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" + 
> credentials.username + "&password=" + credentials.password 
> +"&client_id=community-app&grant_type=password&client_secret=123
> {code}
> *Solution proposal*
> Alternatively, allow credentials to be sent as part of the request payload. 
> It would be less prone to leakage in case there is server-side URL logging.
> For the /authentication endpoint it might make sense as well to support the 
> standard Basic Http Auth header already base64-encoded.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to