Uploaded image for project: 'mod-login'
  1. mod-login
  2. MODLOGIN-119

change login API to return tokens in the body and not in private headers

    XMLWordPrintable

    Details

    • Template:
    • Sprint:
      CP: R1 2022 roadmap
    • Story Points:
      3
    • Development Team:
      Core: Platform

      Description

      Both the regular and refresh tokens should be returned as part of the login operation JSON response body and not as response headers.

      The security problems related to token leaks (FOLIO-2287 and FOLIO-2286) suggest that current design is prone to exploitation because the authentication headers are used both as request and response headers.

      This is a breaking login API change and requires client (stripes and mod-user-bl) changes.

      Additionally, as discussed in FOLIO-2556 and in the #core-platform channel – there is a potential use-case to return the token as a cookie (Set-Cookie header) to allow for transparent handling of tokens in stripes (it's a good practice to prevent JS to access JWT tokens). This should be verified with StripesForce team.

      Example:

      POST /login HTTP/1.1
      Content-type: application/json
      {
         "user":..
         "pass":..
         "tokenTransport": "body"
      }
      HTTP/1.1 200 OK
      {
        "accessToken" : "1234",
      }
      

      and for the “cookie” transported version:

      POST /login HTTP/1.1
      Content-type: application/json
      {
         "user":..
         "pass":..
        "tokenTransport" : "cookie",
      }
      HTTP/1.1 200 OK
      Set-Cookie: tok=1245
      {
        "tokenTransport" : "cookie",
      }
      

        TestRail: Results

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                Unassigned Unassigned
                Reporter:
                jakub Jakub Skoczen
                Votes:
                0 Vote for this issue
                Watchers:
                8 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    TestRail: Runs

                      TestRail: Cases