[OKAPI-847] Conditionally defer CORS handling to module when invoked via passthrough API - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Story
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: None
Fix Version/s: 3.1.0
Labels:
- platform-backlog

Template:
customfield_11100 36131
Sprint:
CP: sprint 89, CP: sprint 90
Story Points:
3
Development Team:
Core: Platform
Epic Link:
Security Audit Remediation

Description

Overview

The /_/invoke/tenant/<tenantId>/<path> is essentially a passthrough proxy to the target module. In order to allow mod-login-saml to set cookies - as part of CSRF prevention, we would like that module to perform it's own CORS handling. It's currently invoked via the aforementioned passthrough proxy API.

See https://wiki.folio.org/display/DD/SAML+CSRF+Prevention for details.

Acceptance Criteria

The module descriptor allows you to optionally specify whether or not to delegate CORS handling to the target module when invoked via /_/invoke/tenant/<tenantId>/<path>
CORS handling is conditionally handled in OKAPI based on the target module's descriptor (only when invoked via /_/invoke/tenant/<tenantId>/<path>)
OKAPI guide is updated with details

TestRail: Results

Attachments

Issue Links

blocks

MODLOGSAML-58 Arbitrary URL Redirection in SAML Response

Closed

MODLOGSAML-59 Umbrella: Cross-Site Request Forgery (CSRF) in SSO Flow

Closed

relates to

MODLOGSAML-63 Implement CSRF Prevention

Closed

STCOR-544 Set credentials: include on fetch to /saml/login

Closed

Activity

People

Assignee:: Hongwei Ji

Reporter:: Craig McNally

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 21/May/20 1:31 PM

Updated:: 02/Jun/20 1:11 PM

Resolved:: 02/Jun/20 1:11 PM

Conditionally defer CORS handling to module when invoked via passthrough API