[
https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193863#comment-17193863
]
Michael Vorburger commented on FINERACT-629:
--------------------------------------------
It actually seems to work just fine as is - see FINERACT-1145:
This issue was about "Authentication API endpoint forces username and password
as URL params".
For {{/api/v1/authentication}}, I had fixed this in FINERACT-726.
For {{/api/oauth/token}}, it's POSSIBLE to pass the username and password as
URL params, but clients do not HAVE to - it also works as
{{x-www-form-urlencoded}} - and we should simply document that we recommend
that, and change the JavaScript in the OpenMF Web Apps (and Android, etc.)
accordingly. (But those clients are NOT part of the Apache Fineract project.)
The CODE for {{/api/oauth/token}} is from (deprecated, note FINERACT-1012)
Spring Security OAuth 2.x, and not something that the Apache Fineract project
can change.
I'll raise a PR for updating our apiLive.htm documentation re. this (but I
don't think this warrants a 1.4.0 "recut").
I'll raise a few issues over on https://github.com/openMF/ re. this for clients.
I'm therefore closing this as a duplicate of FINERACT-726, for 1.4.0.
> Authentication API endpoint forces username and password as URL params
> ----------------------------------------------------------------------
>
> Key: FINERACT-629
> URL: https://issues.apache.org/jira/browse/FINERACT-629
> Project: Apache Fineract
> Issue Type: Improvement
> Components: System
> Affects Versions: 1.4.0
> Reporter: Jose A. Franco
> Assignee: Michael Vorburger
> Priority: Critical
> Labels: security, technical
> Fix For: 1.4.0
>
>
> As documented in the live API documentation available here:
> [https://demo.openmf.org/api-docs/apiLive.htm#authentication]
> Clients must send username and password as URL params of the API endpoint
> {code:java}
> ...
> function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url :
> "authentication?username=" + username + "&password=" + password, type :
> 'POST',
> ...
> {code}
> This could cause issues with credentials leakage if the platform is deployed
> in an environment where there is server-side URL logging. Access to those
> logs would expose passwords.
> Proposed solution is to alternatively allow sending username and password as
> request body or as a header.
>
> Something similar happens with the OAuth endpoint:
> {code:java}
> var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" +
> credentials.username + "&password=" + credentials.password
> +"&client_id=community-app&grant_type=password&client_secret=123
> {code}
> *Solution proposal*
> Alternatively, allow credentials to be sent as part of the request payload.
> It would be less prone to leakage in case there is server-side URL logging.
> For the /authentication endpoint it might make sense as well to support the
> standard Basic Http Auth header already base64-encoded.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
