[FOLIO-378] Validate tenant-ID against host header Created: 09/Nov/16 Updated: 12/Nov/18 Resolved: 22/Nov/16 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | New Feature | Priority: | P4 |
| Reporter: | Mike Taylor | Assignee: | Heikki Levanto |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | 1 hour | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | |||||||||
| Description |
|
Requests sent to Okapi will be on some tenant-specific hostname, and will also send a tenant-ID in the X-Okapi-Tenant header. The back-end should protect against MITM attacks by validating that the asserted tenant-ID is valid for use on the hostname. (Before we can do this, we will need to figure out how tenant-specific hostnames are generated or configured, and how Okapi can obtain that information.) |
| Comments |
| Comment by Mike Taylor [ 09/Nov/16 ] |
|
The real issue here may be that the UI ought to be sending proper encrypted/signed authentication tokens. See
|
| Comment by Heikki Levanto [ 21/Nov/16 ] |
|
I don't see much need to validate the HOST header. The security comes from logging in to a given tenant with valid credentials. After that, the tenant information is carried in the X-Okapi-Token, and is no longer needed. The client may try to use a differetn X-Okapi-Tenant header, but Okapi will catch that, and refuse the whole request. If we ever set up a database of HOST names and matching tenants, this could be used for guessing the Tenant at the login time, but I don't see much need for that. Yes, the UI should start with a login and pass the token around. |
| Comment by Mike Taylor [ 21/Nov/16 ] |
|
OK, no problem. If you're happy about this, you should just close this as WONTFIX. |