Reject invalid tenant ids
Description
Environment
Potential Workaround
is blocked by
relates to
Checklist
hideTestRail: Results
Activity
Craig McNally August 17, 2023 at 3:18 PM
@Julian Ladisch will take a look to see where this stands and the security team can discuss next steps afterwards
Adam Dickmeiss October 4, 2022 at 11:16 AM
Work reverted . There's a PR which allows existing tenant ID - see https://folio-org.atlassian.net/browse/OKAPI-1121#icft=OKAPI-1121
Craig McNally March 3, 2022 at 4:28 PM
The security team has reviewed this and assigned priority. Ideally we can get this fixed in Morning Glory.
Next steps:
@Julian Ladisch to discuss the set of restrictions with the core-platform team.
Reach out to the implementers once we have an agreed-upon set of restrictions. The purpose is two-fold:
See how prevalent this problem is. And
let them know that they shouldn't be creating new tenants based on the restrictions outlined in https://folio-org.atlassian.net/browse/OKAPI-1081#icft=OKAPI-1081.
Maybe we should have OKAPI reject new tenants based on these restrictions, but allow pre-existing tenants that are already in place.
Brainstorm what migrations would look like - what is the scope? Stripes-config, edge API keys, etc. would all need to change. What else is impacted?
Adam Dickmeiss March 3, 2022 at 3:40 PM
Fortunately, Okapi does have some checks already. For example not allowing upper-case.
Details
Details
Assignee
Reporter
Priority
P2
The implementation should follow https://folio-org.atlassian.net/wiki/spaces/TC/pages/5053983/DR-000002+-+Tenant+Id+and+Module+Name+Restrictions
Update the release notes for Quesnelia once this change is merge: https://folio-org.atlassian.net/wiki/spaces/REL/pages/5210732/Quesnelia+R1+2024+Release+Notes