[MGNLREST-261] Secure authentication needed into REST calls Created: 17/Jul/20 Updated: 17/Apr/23 Resolved: 23/Jul/20 |
|
| Status: | Closed |
| Project: | Magnolia REST Framework |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Blocker |
| Reporter: | David Caviedes Marquez | Assignee: | Unassigned |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Template: |
|
||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||||||||||
| Date of First Response: | |||||||||||||
| Description |
|
Hello all,
it´s fundamental to have a complete secure authentication method into Magnolia REST calls, because current basic authentication method is not secure. Let´s see a typical scenario: In this scenario, Angular needs to make a call from Javascript code, what is exposed to all across browser inspector, so anyone could catch REST calls (with credentials) an modify its to make an attack.
How can we secure Magnolia REST authentication into these kind of scenarios?
Thanks in advance |
| Comments |
| Comment by Jan Haderka [ 22/Jul/20 ] |
Most simple way of protecting is probably by combination of same-origin policy and use of CSRF token. |
| Comment by David Caviedes Marquez [ 22/Jul/20 ] |
|
Thanks @Jan Haderka, this way seems to be a solution to avoid Magnolia API invocations from not authorized origins, but going further, let´s imagine Javascript business calculates some information that has to be saved into Magnolia (for example accumulated points of an hypothetical website public user); in that scenario Javascript business should calculate this information and send it to Magnolia via REST API invocation, so the same public user could inspect Javascript code, stop the execution just in REST API invocation, change the variable of "accumulated points" and continue the execution, so how can we avoid this kind of malicious actions?
Cheers |
| Comment by Jan Haderka [ 22/Jul/20 ] |
|
dmarquez You can't really stop untrustworthy client for as long as you operate from such a client. |
| Comment by Mikaël Geljić [ 23/Jul/20 ] |
|
Hi dmarquez, aside from the valid point about logic on the client, we do consider additional/token-based means of authentication, see MGNLREST-71. I'll close this as a duplicate if I may, and link your support ticket there as well. Cheers, |
| Comment by David Caviedes Marquez [ 23/Jul/20 ] |
|
Ok thanks all for your support guys, I´ll take a look to [Jan Haderka|https://jira.magnolia-cms.com/secure/ViewProfile.jspa?name=had] recommendation Cheers |