[MODAT-107] Filter returns X-Okapi-Module-Tokens on error - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: TBD
Resolution: Done
Affects Version/s: 2.9.0
Fix Version/s: 2.9.1
Labels:
- security

Template:
Sprint:
CP: sprint 125
Story Points:
2
Development Team:
Core: Platform

Description

mod-authtoken returns headers in case of 403-type of errors, such as X-Okapi-Module-Tokens. This tricked Okapi to save them (~~OKAPI-1037~~).. But in general, headers like these should not be returned in case of errors.

It can be spotted in code sections easily - as if the mod-authtoken deliberately wants to return that header always.

https://github.com/folio-org/mod-authtoken/blob/ee0ada57495b2613191cb2cc4880c32fcef577bc/src/main/java/org/folio/auth/authtokenmodule/MainVerticle.java#L706

https://github.com/folio-org/mod-authtoken/blob/ee0ada57495b2613191cb2cc4880c32fcef577bc/src/main/java/org/folio/auth/authtokenmodule/MainVerticle.java#L724

https://github.com/folio-org/mod-authtoken/blob/ee0ada57495b2613191cb2cc4880c32fcef577bc/src/main/java/org/folio/auth/authtokenmodule/MainVerticle.java#L755

TestRail: Results

Attachments

Issue Links

relates to

OKAPI-1037 Missing permission check when token cache and pre/post filter

Closed

MODAT-38 Missing module token when calling /token as a filter

Closed

Activity

People

Assignee:: Adam Dickmeiss (Inactive)

Reporter:: Adam Dickmeiss (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 17/Oct/21 12:33 PM

Updated:: 14/Dec/21 3:53 PM

Resolved:: 19/Oct/21 10:22 AM

Filter returns X-Okapi-Module-Tokens on error