[ https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Aleksandar Vidakovic updated FINERACT-629: ------------------------------------------ Fix Version/s: (was: 1.5.0) 1.4.0 > Authentication API endpoint forces username and password as URL params > ---------------------------------------------------------------------- > > Key: FINERACT-629 > URL: https://issues.apache.org/jira/browse/FINERACT-629 > Project: Apache Fineract > Issue Type: Improvement > Components: System > Affects Versions: 1.4.0 > Reporter: Jose A. Franco > Assignee: Michael Vorburger > Priority: Critical > Labels: security, technical > Fix For: 1.4.0 > > > As documented in the live API documentation available here: > [https://demo.openmf.org/api-docs/apiLive.htm#authentication] > Clients must send username and password as URL params of the API endpoint > {code:java} > ... > function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url : > "authentication?username=" + username + "&password=" + password, type : > 'POST', > ... > {code} > This could cause issues with credentials leakage if the platform is deployed > in an environment where there is server-side URL logging. Access to those > logs would expose passwords. > Proposed solution is to alternatively allow sending username and password as > request body or as a header. > > Something similar happens with the OAuth endpoint: > {code:java} > var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" + > credentials.username + "&password=" + credentials.password > +"&client_id=community-app&grant_type=password&client_secret=123 > {code} > *Solution proposal* > Alternatively, allow credentials to be sent as part of the request payload. > It would be less prone to leakage in case there is server-side URL logging. > For the /authentication endpoint it might make sense as well to support the > standard Basic Http Auth header already base64-encoded. > > -- This message was sent by Atlassian Jira (v8.3.4#803005)