You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Aleksandar Vidakovic (Jira)" <ji...@apache.org> on 2020/08/18 21:16:00 UTC

[jira] [Commented] (FINERACT-629) Authentication API endpoint forces username and password as URL params

    [ https://issues.apache.org/jira/browse/FINERACT-629?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17180108#comment-17180108 ] 

Aleksandar Vidakovic commented on FINERACT-629:
-----------------------------------------------

Concerning OAuth: the documentation mentions that query parameter username and password are needed, but I think this is a copy and paste error... I see no indication that these parameters are used anywhere internally (aka in Spring Security/OAuth). Could someone please confirm?

> Authentication API endpoint forces username and password as URL params
> ----------------------------------------------------------------------
>
>                 Key: FINERACT-629
>                 URL: https://issues.apache.org/jira/browse/FINERACT-629
>             Project: Apache Fineract
>          Issue Type: Improvement
>          Components: System
>            Reporter: Jose A. Franco
>            Priority: Critical
>              Labels: security, technical
>             Fix For: 1.4.0
>
>
> As documented in the live API documentation available here: [https://demo.openmf.org/api-docs/apiLive.htm#authentication]
> Clients must send username and password as URL params of the API endpoint
> {code:java}
> ...
> function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url : "authentication?username=" + username + "&password=" + password, type : 'POST',
> ...
> {code}
> This could cause issues with credentials leakage if the platform is deployed in an environment where there is server-side URL logging. Access to those logs would expose passwords.
> Proposed solution is to alternatively allow sending username and password as request body or as a header. 
>  
> Something similar happens with the OAuth endpoint: 
> {code:java}
> var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" + credentials.username + "&password=" + credentials.password +"&client_id=community-app&grant_type=password&client_secret=123
> {code}
> *Solution proposal*
> Alternatively, allow credentials to be sent as part of the request payload. It would be less prone to leakage in case there is server-side URL logging.
> For the /authentication endpoint it might make sense as well to support the standard Basic Http Auth header already base64-encoded.
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)