Re: [TEST] Test "POC for CSRF Token"

2020-03-28 Thread James Yong
Hi Jacques, For 1, seems like a ICsrfDefenseStrategy class implementation issue. We can use another Jira for the enhancement / discussion when this JIRA (OFBIZ-11306) is completed. For 2, csrf-token check is independent of auth check, and the current implementation should work as it is. So

Re: GraphQL API for OFBiz

2020-03-28 Thread Girish Vasmatkar
Hi Guys - I've attached video link of the demo held on 03/27 to the ticket https://issues.apache.org/jira/browse/OFBIZ-11347. Let me know should you have any questions. Best Regards, Girish On Sat, Mar 28, 2020 at 2:56 PM Girish Vasmatkar < girish.vasmat...@hotwaxsystems.com> wrote: > Hi

Re: Demo instance for OFBiz 17.12 release and remove 13.07 demo

2020-03-28 Thread Swapnil M Mane
Hello team, I am planning to upgrade the demo instances next week. If you have any feedback or thoughts, please feel free to comment at https://issues.apache.org/jira/browse/OFBIZ-11472 - Best regards, Swapnil M Mane, ofbiz.apache.org On Mon, Mar 23, 2020 at 3:48 PM Jacques Le Roux <

Re: [TEST] Test "POC for CSRF Token"

2020-03-28 Thread Jacques Le Roux
Hi Girish, Thanks for asking! I have read in several up to date places that it's better to have both. Notably when you use the lax option that I have left users to choice to, because this might be needed in some cases. So the CSRF token defense offers a second fence. OWASP clearly explains

Re: [TEST] Test "POC for CSRF Token"

2020-03-28 Thread Girish Vasmatkar
Hi Jacques I second your points. However, I have the following question - Since you have explored and followed OWASP very extensively, do you think with the introduction of same-site attribute, the whole concept of CSRF token becomes somewhat redundant, provided almost every browser has the

Re: GraphQL API for OFBiz

2020-03-28 Thread Girish Vasmatkar
Hi Pierre Yes, the demo went well barring some network glitches:).It was recorded as well so I will put the details on the ticket. Thanks for your interest. Best, Girish On Sat, Mar 28, 2020 at 1:30 PM Pierre Smits wrote: > Hi Girish, > > How did your presentation go? Unfortunately I was

Re: [TEST] Test "POC for CSRF Token"

2020-03-28 Thread Jacques Le Roux
Hi, Of course, I have my own opinion. Here are my answers to these questions. 1. By default in OFBiz the session timeout is 1 hour. After that, OFBiz generates a new CSRF token before you sign in. I think for OFBiz applications it's enough security. Of course we could have more fancy

Re: GraphQL API for OFBiz

2020-03-28 Thread Pierre Smits
Hi Girish, How did your presentation go? Unfortunately I was unable to attend/participate, but am curious. Will you capture highlights and put those in the ticket? Mvg Pierre Op vr 27 mrt. 2020 10:13 schreef Deepak Dixit : > Great initiative Girish. > > Thanks & Regards > -- > Deepak Dixit >