[MGNLREST-261] Secure authentication needed into REST calls Created: 17/Jul/20  Updated: 17/Apr/23  Resolved: 23/Jul/20

Status: Closed
Project: Magnolia REST Framework
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Blocker
Reporter: David Caviedes Marquez Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
duplicate
duplicates MGNLREST-71 Rest authentication with API Tokens o... Accepted
Template:
Acceptance criteria:
Empty
Task DoD:
[ ]* Doc/release notes changes? Comment present?
[ ]* Downstream builds green?
[ ]* Solution information and context easily available?
[ ]* Tests
[ ]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Date of First Response:

 Description   

Hello all,

 

it´s fundamental to have a complete secure authentication method into Magnolia REST calls, because current basic authentication method is not secure.

Let´s see a typical scenario:
Magnolia headless solution where an Angular (front) application needs to set some information into Magnolia (for example set a value into contacts content app with nodes endpoint).

In this scenario, Angular needs to make a call from Javascript code, what is exposed to all across browser inspector, so anyone could catch REST calls (with credentials) an modify its to make an attack.

 

How can we secure Magnolia REST authentication into these kind of scenarios?

 

Thanks in advance



 Comments   
Comment by Jan Haderka [ 22/Jul/20 ]

How can we secure Magnolia REST authentication into these kind of scenarios?

Most simple way of protecting is probably by combination of same-origin policy and use of CSRF token.

Comment by David Caviedes Marquez [ 22/Jul/20 ]

Thanks @Jan Haderka,

this way seems to be a solution to avoid Magnolia API invocations from not authorized origins, but going further, let´s imagine Javascript business calculates some information that has to be saved into Magnolia (for example accumulated points of an hypothetical website public user); in that scenario Javascript business should calculate this information and send it to Magnolia via REST API invocation, so the same public user could inspect Javascript code, stop the execution just in REST API invocation, change the variable of "accumulated points" and continue the execution, so how can we avoid this kind of malicious actions?

 

Cheers

Comment by Jan Haderka [ 22/Jul/20 ]

dmarquez You can't really stop untrustworthy client for as long as you operate from such a client.
You can obfuscate the js code, or you can do some magic with hiding the token to be sent in iframe that is self deleting via JS, etc., but ultimately, as long as you are executing business logic on the client you will be vulnerable to such exploits.
When using Magnolia I would suggest to update info, such as accumulated points count, only on server side, eg. using JS Models module and have server being the only judge of how many extra points client should get for the value of their basket (or whatever other op triggers adding the the points to their account).

Comment by Mikaël Geljić [ 23/Jul/20 ]

Hi dmarquez, aside from the valid point about logic on the client, we do consider additional/token-based means of authentication, see MGNLREST-71. I'll close this as a duplicate if I may, and link your support ticket there as well.

Cheers,
Mika

Comment by David Caviedes Marquez [ 23/Jul/20 ]

Ok thanks all for your support guys, I´ll take a look to [Jan Haderka|https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=had] recommendation

Cheers

Generated at Mon Feb 12 06:58:10 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.