Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-2287

Valid X-Okapi-Token (with permissions) returned on invalid login

    XMLWordPrintable

Details

    • Standard Bug Write-Up Format
    • CP: sprint 73
    • 3
    • Core: Platform

    Description

      Overview

      It was discovered that when logging in with bogus credentials you get an appropriate error response, but also a valid token with the following permissions:

        [
          "auth.signtoken",
          "auth.signrefreshtoken",
          "users.collection.get",
          "users.item.put",
          "users.item.get",
          "configuration.entries.collection.get"
        ]
      

      Reproducer

      1. Login with bad credentials

      $ curl https://folio-testing-okapi.aws.indexdata.com:443/authn/login -H 'Content-Type: application/json' -H 'X-Okapi-Tenant: diku' --data-binary '{"username":"foo","password":"bar"}' -v -w '\n'
      + curl https://folio-testing-okapi.aws.indexdata.com:443/authn/login -H 'Content-Type: application/json' -H 'X-Okapi-Tenant: diku' --data-binary '{"username":"foo","password":"bar"}' -v -w '\n'
      *   Trying 52.72.80.49...
      * Connected to folio-testing-okapi.aws.indexdata.com (52.72.80.49) port 443 (#0)
      * found 148 certificates in /etc/ssl/certs/ca-certificates.crt
      * found 597 certificates in /etc/ssl/certs
      * ALPN, offering http/1.1
      * SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
      * 	 server certificate verification OK
      * 	 server certificate status verification SKIPPED
      * 	 common name: *.aws.indexdata.com (matched)
      * 	 server certificate expiration date OK
      * 	 server certificate activation date OK
      * 	 certificate public key: RSA
      * 	 certificate version: #3
      * 	 subject: CN=*.aws.indexdata.com
      * 	 start date: Thu, 23 May 2019 00:00:00 GMT
      * 	 expire date: Tue, 23 Jun 2020 12:00:00 GMT
      * 	 issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
      * 	 compression: NULL
      * ALPN, server accepted to use http/1.1
      > POST /authn/login HTTP/1.1
      > Host: folio-testing-okapi.aws.indexdata.com
      > User-Agent: curl/7.47.0
      > Accept: */*
      > Content-Type: application/json
      > X-Okapi-Tenant: diku
      > Content-Length: 35
      > 
      * upload completely sent off: 35 out of 35 bytes
      < HTTP/1.1 422 Unprocessable Entity
      < Date: Tue, 24 Sep 2019 18:54:15 GMT
      < Content-Type: application/json
      < Transfer-Encoding: chunked
      < Connection: keep-alive
      < X-Okapi-Trace: POST mod-authtoken-2.3.0-SNAPSHOT.55 http://10.36.1.89:9132/authn/login : 202 2984us
      < x-forwarded-for: 140.234.253.9
      < x-forwarded-proto: https
      < x-forwarded-port: 443
      < host: folio-testing-okapi.aws.indexdata.com
      < x-amzn-trace-id: Root=1-5d8a6657-3ecd6a4e80aa647813c1ebda
      < user-agent: curl/7.47.0
      < accept: */*
      < x-okapi-tenant: diku
      < x-okapi-request-id: 618738/authn
      < x-okapi-url: http://10.36.1.89:9130
      < x-okapi-request-ip: 10.36.1.246
      < x-okapi-request-timestamp: 1569351255862
      < x-okapi-request-method: POST
      < x-okapi-permissions: []
      < x-okapi-token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVTkRFRklORURfVVNFUl9fMTAuMzYuMS44OTo0ODgyOF9fMjAxOS0wOS0yNFQxODo1NDoxNS44NjQrMDAwMCIsIm1vZHVsZSI6Im1vZC1sb2dpbi02LjEuMC1TTkFQU0hPVC42NSIsImV4dHJhX3Blcm1pc3Npb25zIjpbImF1dGguc2lnbnRva2VuIiwiYXV0aC5zaWducmVmcmVzaHRva2VuIiwidXNlcnMuY29sbGVjdGlvbi5nZXQiLCJ1c2Vycy5pdGVtLnB1dCIsInVzZXJzLml0ZW0uZ2V0IiwiY29uZmlndXJhdGlvbi5lbnRyaWVzLmNvbGxlY3Rpb24uZ2V0Il0sInJlcXVlc3RfaWQiOiI2MTg3MzhcL2F1dGhuIiwidGVuYW50IjoiZGlrdSJ9.cE-oO4uJzR05ArSqMMA_dR89HcNA0cgc72Ped7Mb-aQ
      < x-okapi-match-path-pattern: /authn/login
      < X-Okapi-Trace: POST mod-login-6.1.0-SNAPSHOT.65 http://10.36.1.89:9135/authn/login : 422 13785us
      < 
      {
        "errors" : [ {
          "message" : "Error verifying user existence: No user found by username foo",
          "type" : "error",
          "code" : "username.incorrect",
          "parameters" : [ {
            "key" : "username",
            "value" : "foo"
          } ]
        } ]
      * Connection #0 to host folio-testing-okapi.aws.indexdata.com left intact
      }
      

      2. Decode the token:

      {
        "sub": "UNDEFINED_USER__10.36.1.89:48828__2019-09-24T18:54:15.864+0000",
        "module": "mod-login-6.1.0-SNAPSHOT.65",
        "extra_permissions": [
          "auth.signtoken",
          "auth.signrefreshtoken",
          "users.collection.get",
          "users.item.put",
          "users.item.get",
          "configuration.entries.collection.get"
        ],
        "request_id": "618738/authn",
        "tenant": "diku"
      }
      

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                adam Adam Dickmeiss
                cmcnally Craig McNally
                Votes:
                1 Vote for this issue
                Watchers:
                16 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases