Uploaded image for project: 'edge-common'
  1. edge-common
  2. EDGCOMMON-59

Explain header injection in OkapiClient javadoc

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • P3
    • Resolution: Done
    • None
    • None
    • None
    • CP: Sprint 155, CP: Sprint 156
    • Core: Platform
    • TBD

    Description

      Overview:

      If you specify an x-okapi-token header when making a request to an edge module based on the edge-common framework, that token is used instead of the token obtained from cache or from authenticating with FOLIO.

      I believe the problem is with this method:  https://github.com/folio-org/edge-common/blob/fae254ca76aef9123d2bcbcb27b59c36e4588434/src/main/java/org/folio/edge/core/utils/OkapiClient.java#L260

      Steps to Reproduce:

      1. Make a call to any edge-* modules, based on edge-common while specifying the x-okapi-token header.

      Expected Results:
      In downstream requests edge module should use token obtained via authenticating with OKAPI or from the edge module's internal cache
      Actual Results:
      The token value provided in the request is used when making downstream requests.  This can be seen in the logs...

      And another example... 

      How to fix:
      See release notes: https://github.com/folio-org/edge-common/releases/tag/v4.4.0

      To make this even more visible this should also be added to the OkapiClient javadoc.

      The bug is in the edge-x module when it passes on all HTTP request headers to Okapi. This needs to be fixed there.

      Example: https://github.com/folio-org/edge-rtac/blob/v2.6.0/src/main/java/org/folio/edge/rtac/RtacHandler.java#L90

      In addition we can remove the X-Okapi-Token header in OkapiClient#combineHeadersWithDefaults, however this doesn't stop other headers from being injected which can be an issue because edge modules might be more exposed (more permissive firewall configuration) than Okapi.

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                julianladisch Julian Ladisch
                cmcnally Craig McNally
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases