Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-2286

X-Okapi-Module-Tokens response header providing access to unauthenticated users

    XMLWordPrintable

Details

    • CP: sprint 73
    • Core: Platform

    Description

      Overview

      The X-Okapi-Module-Tokens response header is being returned when making calls to endpoints which have modulePermissions defined. This header includes an token which can be used like an X-Okapi-Token granting access without ever authenticating.

      Reproducer

      Make a call w/o specifying an X-Okapi-Token to an endpoint which has modulePermissions - NOTE that an X-Okapi-Token isn't provided here...:

      $ curl $OKAPI/circulation/loans -H "X-okapi-tenant: diku" -v -w'\n'
*   Trying 52.72.80.49...
* Connected to folio-testing-okapi.aws.indexdata.com (52.72.80.49) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: *.aws.indexdata.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: CN=*.aws.indexdata.com
* 	 start date: Thu, 23 May 2019 00:00:00 GMT
* 	 expire date: Tue, 23 Jun 2020 12:00:00 GMT
* 	 issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET /circulation/loans HTTP/1.1
> Host: folio-testing-okapi.aws.indexdata.com
> User-Agent: curl/7.47.0
> Accept: */*
> X-okapi-tenant: diku
> 
< HTTP/1.1 403 Forbidden
< Date: Wed, 25 Sep 2019 21:24:33 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< X-Okapi-Module-Tokens: {"mod-circulation-17.0.0-SNAPSHOT.383":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVTkRFRklORURfVVNFUl9fMTAuMzYuMS45NTo0NTk3OF9fMjAxOS0wOS0yNVQyMToyNDozMy4yNjcrMDAwMCIsIm1vZHVsZSI6Im1vZC1jaXJjdWxhdGlvbi0xNy4wLjAtU05BUFNIT1QuMzgzIiwiZXh0cmFfcGVybWlzc2lvbnMiOlsibW9kcGVybXMuY2lyY3VsYXRpb24ubG9hbnMuY29sbGVjdGlvbi5nZXQiXSwicmVxdWVzdF9pZCI6IjE5MDk5N1wvY2lyY3VsYXRpb24iLCJ0ZW5hbnQiOiJkaWt1In0.sGQCtHxwNNi3gSWZctCULRHiHx3O4Sq2xJoT1i64jYw","_":"eyJhbGciOiJIUzI1NiJ9.eyJkdW1teSI6dHJ1ZSwic3ViIjoiVU5ERUZJTkVEX1VTRVJfXzEwLjM2LjEuOTU6NDU5NzhfXzIwMTktMDktMjVUMjE6MjQ6MzMuMjY3KzAwMDAiLCJyZXF1ZXN0X2lkIjoiMTkwOTk3XC9jaXJjdWxhdGlvbiIsInRlbmFudCI6ImRpa3UifQ.w1t8bHOzlAd5EOYeLBOjU8DW9A0DgjvJqVrkds_Ha7U"}
< X-Okapi-Trace: GET mod-authtoken-2.3.0-SNAPSHOT.56 http://10.36.1.95:9132/circulation/loans : 403 3207us
< 
* Connection #0 to host folio-testing-okapi.aws.indexdata.com left intact
Access requires permission: circulation.loans.collection.get

      The 403 response makes sense except for the X-Okapi-Module-Tokens header... when decoded, this particular call gives a token providing the following permissions:

      modperms.circulation.loans.collection.get

      which expands to a very long list:

      [
        "circulation-storage.loans.collection.get",
        "circulation-storage.loan-policies.item.get",
        "circulation-storage.loan-policies.collection.get",
        "inventory-storage.items.item.get",
        "inventory-storage.items.collection.get",
        "inventory-storage.locations.item.get",
        "inventory-storage.locations.collection.get",
        "inventory-storage.location-units.institutions.item.get",
        "inventory-storage.location-units.campuses.item.get",
        "inventory-storage.location-units.libraries.item.get",
        "inventory-storage.location-units.libraries.collection.get",
        "inventory-storage.holdings.collection.get",
        "inventory-storage.holdings.item.get",
        "inventory-storage.instances.collection.get",
        "inventory-storage.instances.item.get",
        "inventory-storage.material-types.collection.get",
        "inventory-storage.material-types.item.get",
        "inventory-storage.service-points.collection.get",
        "inventory-storage.service-points.item.get",
        "users.collection.get",
        "users.item.get",
        "inventory-storage.locations.collection.get",
        "accounts.collection.get",
        "usergroups.collection.get",
        "usergroups.item.get"
      ]

      The recent fix for RMB-478 appears to fix this, but modules will need to upgrade to a version of RMB that has this fix, and re-release.

      TestRail: Results

        Attachments

          Issue Links

            is blocked by

            Bug - A problem which impairs or prevents the functions of the product. OKAPI-764 X-Okapi-Module-Tokens revealed in response

            • P1 - highest priority item, drop everything else before this is resolved, reserved for critical bugfixes
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. FOLIO-2287 Valid X-Okapi-Token (with permissions) returned on invalid login

            • P1 - highest priority item, drop everything else before this is resolved, reserved for critical bugfixes
            • Closed

            Activity

              People

                jakub Jakub Skoczen
                cmcnally Craig McNally
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases