[jira] [Commented] (FINERACT-629) Authentication API endpoint forces username and password as URL params

Mon, 31 Aug 2020 12:25:52 -0700 


    [ 
https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17187966#comment-17187966
 ] 

Avik Ganguly commented on FINERACT-629:
---------------------------------------

[~aleks] [~vorburger] [~edcable] : The resolution of the fix didn't work as 
expected as it's going in the request body but the spring oauth changes we did 
broke Oauth. Let's not hold up release as we won't be able to complete the PR 
in the first part of this week. 

> Authentication API endpoint forces username and password as URL params
> ----------------------------------------------------------------------
>
>                 Key: FINERACT-629
>                 URL: https://issues.apache.org/jira/browse/FINERACT-629
>             Project: Apache Fineract
>          Issue Type: Improvement
>          Components: System
>            Reporter: Jose A. Franco
>            Priority: Critical
>              Labels: security, technical
>             Fix For: 1.4.0
>
>
> As documented in the live API documentation available here: 
> [https://demo.openmf.org/api-docs/apiLive.htm#authentication]
> Clients must send username and password as URL params of the API endpoint
> {code:java}
> ...
> function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url : 
> "authentication?username=" + username + "&password=" + password, type : 
> 'POST',
> ...
> {code}
> This could cause issues with credentials leakage if the platform is deployed 
> in an environment where there is server-side URL logging. Access to those 
> logs would expose passwords.
> Proposed solution is to alternatively allow sending username and password as 
> request body or as a header. 
>  
> Something similar happens with the OAuth endpoint: 
> {code:java}
> var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" + 
> credentials.username + "&password=" + credentials.password 
> +"&client_id=community-app&grant_type=password&client_secret=123
> {code}
> *Solution proposal*
> Alternatively, allow credentials to be sent as part of the request payload. 
> It would be less prone to leakage in case there is server-side URL logging.
> For the /authentication endpoint it might make sense as well to support the 
> standard Basic Http Auth header already base64-encoded.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to