You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Michael Vorburger (Jira)" <ji...@apache.org> on 2020/09/10 20:01:00 UTC

[jira] [Commented] (FINERACT-629) Authentication API endpoint forces username and password as URL params

    [ https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17193823#comment-17193823 ] 

Michael Vorburger commented on FINERACT-629:
--------------------------------------------

[~avikganguly010] I propose that we treat fixing OAuth support, if it's currently broken, separately from fixing the "password in URL parameter" point that this issue was about. If it's already broken anyway, we could still address this point anyway (which won't fix it, but at least "tick this" off; I'll see if I can raise a PR for this myself) - and separately actually fix OAuth, under FINERACT-1144, after someone contributes the missing doc about how this actually works via FINERACT-1145.

> Authentication API endpoint forces username and password as URL params
> ----------------------------------------------------------------------
>
>                 Key: FINERACT-629
>                 URL: https://issues.apache.org/jira/browse/FINERACT-629
>             Project: Apache Fineract
>          Issue Type: Improvement
>          Components: System
>    Affects Versions: 1.4.0
>            Reporter: Jose A. Franco
>            Assignee: Michael Vorburger
>            Priority: Critical
>              Labels: security, technical
>             Fix For: 1.4.0
>
>
> As documented in the live API documentation available here: [https://demo.openmf.org/api-docs/apiLive.htm#authentication]
> Clients must send username and password as URL params of the API endpoint
> {code:java}
> ...
> function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url : "authentication?username=" + username + "&password=" + password, type : 'POST',
> ...
> {code}
> This could cause issues with credentials leakage if the platform is deployed in an environment where there is server-side URL logging. Access to those logs would expose passwords.
> Proposed solution is to alternatively allow sending username and password as request body or as a header. 
>  
> Something similar happens with the OAuth endpoint: 
> {code:java}
> var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" + credentials.username + "&password=" + credentials.password +"&client_id=community-app&grant_type=password&client_secret=123
> {code}
> *Solution proposal*
> Alternatively, allow credentials to be sent as part of the request payload. It would be less prone to leakage in case there is server-side URL logging.
> For the /authentication endpoint it might make sense as well to support the standard Basic Http Auth header already base64-encoded.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)