[jira] [Commented] (FINERACT-629) Authentication API endpoint forces username and password as URL params

[Aleksandar Vidakovic (Jira)]

    [ 
https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17186479#comment-17186479
 ] 

Aleksandar Vidakovic commented on FINERACT-629:
-----------------------------------------------

[~vorburger] what should we do with this one? [~edcable] would like to see it 
included in the 1.4.0 release. Anyone working on this ticket? This is kind of 
the last ticket that stands between us the 1.4.0 release.

> Authentication API endpoint forces username and password as URL params
> ----------------------------------------------------------------------
>
>                 Key: FINERACT-629
>                 URL: https://issues.apache.org/jira/browse/FINERACT-629
>             Project: Apache Fineract
>          Issue Type: Improvement
>          Components: System
>            Reporter: Jose A. Franco
>            Priority: Critical
>              Labels: security, technical
>             Fix For: 1.4.0
>
>
> As documented in the live API documentation available here: 
> [https://demo.openmf.org/api-docs/apiLive.htm#authentication]
> Clients must send username and password as URL params of the API endpoint
> {code:java}
> ...
> function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url : 
> "authentication?username=" + username + "&password=" + password, type : 
> 'POST',
> ...
> {code}
> This could cause issues with credentials leakage if the platform is deployed 
> in an environment where there is server-side URL logging. Access to those 
> logs would expose passwords.
> Proposed solution is to alternatively allow sending username and password as 
> request body or as a header. 
>  
> Something similar happens with the OAuth endpoint: 
> {code:java}
> var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" + 
> credentials.username + "&password=" + credentials.password 
> +"&client_id=community-app&grant_type=password&client_secret=123
> {code}
> *Solution proposal*
> Alternatively, allow credentials to be sent as part of the request payload. 
> It would be less prone to leakage in case there is server-side URL logging.
> For the /authentication endpoint it might make sense as well to support the 
> standard Basic Http Auth header already base64-encoded.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)