<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:19:34 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2287] Valid X-Okapi-Token (with permissions) returned on invalid login</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2287</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;h2&gt;&lt;a name=&quot;Overview&quot;&gt;&lt;/a&gt;Overview&lt;/h2&gt;
&lt;p&gt;It was discovered that when logging in with bogus credentials you get an appropriate error response, but also a valid token with the following permissions:&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
  [
    &lt;span class=&quot;code-quote&quot;&gt;&quot;auth.signtoken&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;auth.signrefreshtoken&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.item.put&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.entries.collection.get&quot;&lt;/span&gt;
  ]
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;h2&gt;&lt;a name=&quot;Reproducer&quot;&gt;&lt;/a&gt;Reproducer&lt;/h2&gt;

&lt;p&gt;1. Login with bad credentials&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
$ curl https:&lt;span class=&quot;code-comment&quot;&gt;//folio-testing-okapi.aws.indexdata.com:443/authn/login -H &lt;span class=&quot;code-quote&quot;&gt;&apos;Content-Type: application/json&apos;&lt;/span&gt; -H &lt;span class=&quot;code-quote&quot;&gt;&apos;X-Okapi-Tenant: diku&apos;&lt;/span&gt; --data-binary &lt;span class=&quot;code-quote&quot;&gt;&apos;{&lt;span class=&quot;code-quote&quot;&gt;&quot;username&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;foo&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;password&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;bar&quot;&lt;/span&gt;}&apos;&lt;/span&gt; -v -w &lt;span class=&quot;code-quote&quot;&gt;&apos;\n&apos;&lt;/span&gt;
&lt;/span&gt;+ curl https:&lt;span class=&quot;code-comment&quot;&gt;//folio-testing-okapi.aws.indexdata.com:443/authn/login -H &lt;span class=&quot;code-quote&quot;&gt;&apos;Content-Type: application/json&apos;&lt;/span&gt; -H &lt;span class=&quot;code-quote&quot;&gt;&apos;X-Okapi-Tenant: diku&apos;&lt;/span&gt; --data-binary &lt;span class=&quot;code-quote&quot;&gt;&apos;{&lt;span class=&quot;code-quote&quot;&gt;&quot;username&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;foo&quot;&lt;/span&gt;,&lt;span class=&quot;code-quote&quot;&gt;&quot;password&quot;&lt;/span&gt;:&lt;span class=&quot;code-quote&quot;&gt;&quot;bar&quot;&lt;/span&gt;}&apos;&lt;/span&gt; -v -w &lt;span class=&quot;code-quote&quot;&gt;&apos;\n&apos;&lt;/span&gt;
&lt;/span&gt;*   Trying 52.72.80.49...
* Connected to folio-testing-okapi.aws.indexdata.com (52.72.80.49) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 597 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* 	 common name: *.aws.indexdata.com (matched)
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate &lt;span class=&quot;code-keyword&quot;&gt;public&lt;/span&gt; key: RSA
* 	 certificate version: #3
* 	 subject: CN=*.aws.indexdata.com
* 	 start date: Thu, 23 May 2019 00:00:00 GMT
* 	 expire date: Tue, 23 Jun 2020 12:00:00 GMT
* 	 issuer: C=US,O=Amazon,OU=Server CA 1B,CN=Amazon
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
&amp;gt; POST /authn/login HTTP/1.1
&amp;gt; Host: folio-testing-okapi.aws.indexdata.com
&amp;gt; User-Agent: curl/7.47.0
&amp;gt; Accept: */*
&amp;gt; Content-Type: application/json
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; Content-Length: 35
&amp;gt; 
* upload completely sent off: 35 out of 35 bytes
&amp;lt; HTTP/1.1 422 Unprocessable Entity
&amp;lt; Date: Tue, 24 Sep 2019 18:54:15 GMT
&amp;lt; Content-Type: application/json
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: POST mod-authtoken-2.3.0-SNAPSHOT.55 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.89:9132/authn/login : 202 2984us
&lt;/span&gt;&amp;lt; x-forwarded-&lt;span class=&quot;code-keyword&quot;&gt;for&lt;/span&gt;: 140.234.253.9
&amp;lt; x-forwarded-proto: https
&amp;lt; x-forwarded-port: 443
&amp;lt; host: folio-testing-okapi.aws.indexdata.com
&amp;lt; x-amzn-trace-id: Root=1-5d8a6657-3ecd6a4e80aa647813c1ebda
&amp;lt; user-agent: curl/7.47.0
&amp;lt; accept: */*
&amp;lt; x-okapi-tenant: diku
&amp;lt; x-okapi-request-id: 618738/authn
&amp;lt; x-okapi-url: http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.89:9130
&lt;/span&gt;&amp;lt; x-okapi-request-ip: 10.36.1.246
&amp;lt; x-okapi-request-timestamp: 1569351255862
&amp;lt; x-okapi-request-method: POST
&amp;lt; x-okapi-permissions: []
&amp;lt; x-okapi-token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVTkRFRklORURfVVNFUl9fMTAuMzYuMS44OTo0ODgyOF9fMjAxOS0wOS0yNFQxODo1NDoxNS44NjQrMDAwMCIsIm1vZHVsZSI6Im1vZC1sb2dpbi02LjEuMC1TTkFQU0hPVC42NSIsImV4dHJhX3Blcm1pc3Npb25zIjpbImF1dGguc2lnbnRva2VuIiwiYXV0aC5zaWducmVmcmVzaHRva2VuIiwidXNlcnMuY29sbGVjdGlvbi5nZXQiLCJ1c2Vycy5pdGVtLnB1dCIsInVzZXJzLml0ZW0uZ2V0IiwiY29uZmlndXJhdGlvbi5lbnRyaWVzLmNvbGxlY3Rpb24uZ2V0Il0sInJlcXVlc3RfaWQiOiI2MTg3MzhcL2F1dGhuIiwidGVuYW50IjoiZGlrdSJ9.cE-oO4uJzR05ArSqMMA_dR89HcNA0cgc72Ped7Mb-aQ
&amp;lt; x-okapi-match-path-pattern: /authn/login
&amp;lt; X-Okapi-Trace: POST mod-login-6.1.0-SNAPSHOT.65 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.89:9135/authn/login : 422 13785us
&lt;/span&gt;&amp;lt; 
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;errors&quot;&lt;/span&gt; : [ {
    &lt;span class=&quot;code-quote&quot;&gt;&quot;message&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;Error verifying user existence: No user found by username foo&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;type&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;error&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;code&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;username.incorrect&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;parameters&quot;&lt;/span&gt; : [ {
      &lt;span class=&quot;code-quote&quot;&gt;&quot;key&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;username&quot;&lt;/span&gt;,
      &lt;span class=&quot;code-quote&quot;&gt;&quot;value&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;foo&quot;&lt;/span&gt;
    } ]
  } ]
* Connection #0 to host folio-testing-okapi.aws.indexdata.com left intact
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;2. Decode the token:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;sub&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;UNDEFINED_USER__10.36.1.89:48828__2019-09-24T18:54:15.864+0000&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;module&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;mod-login-6.1.0-SNAPSHOT.65&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;extra_permissions&quot;&lt;/span&gt;: [
    &lt;span class=&quot;code-quote&quot;&gt;&quot;auth.signtoken&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;auth.signrefreshtoken&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.item.put&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.entries.collection.get&quot;&lt;/span&gt;
  ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;request_id&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;618738/authn&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;tenant&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;diku&quot;&lt;/span&gt;
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</description>
                <environment>&lt;p&gt;folio-testing, daisy&lt;/p&gt;</environment>
        <key id="81434">FOLIO-2287</key>
            <summary>Valid X-Okapi-Token (with permissions) returned on invalid login</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10000" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p1.svg">P1</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5f8314dfbdef80006f6f572d">Adam Dickmeiss</assignee>
                                                                <reporter accountid="5cf6c546b87c300f36eb7b9a">Craig McNally</reporter>
                                    <labels>
                            <label>bugfest_q3.2.2019</label>
                            <label>platform-backlog</label>
                            <label>q3.2-2019</label>
                            <label>security</label>
                    </labels>
                <created>Tue, 24 Sep 2019 18:55:51 +0000</created>
                <updated>Fri, 26 Feb 2021 09:23:36 +0000</updated>
                            <resolved>Thu, 26 Sep 2019 16:18:01 +0000</resolved>
                                                                        <due></due>
                            <votes>1</votes>
                                    <watches>15</watches>
                                                                <comments>
                                                            <comment id="193416" author="5f8314dfbdef80006f6f572d" created="Tue, 24 Sep 2019 19:11:11 +0000"  >&lt;p&gt;I get mod-login-6.1.0-SNAPSHOT.65 and mod-authtoken-2.3.0-SNAPSHOT.55 .&lt;/p&gt;</comment>
                                                            <comment id="193420" author="5f8314dfbdef80006f6f572d" created="Tue, 24 Sep 2019 19:22:30 +0000"  >&lt;p&gt;I&apos;ll look at this first thing tomorrow morning. My guess is that it&apos;s a trivial fix.&lt;/p&gt;</comment>
                                                            <comment id="193424" author="557058:4f6bed01-40a6-48d5-8471-7ef21f5ea97c" created="Tue, 24 Sep 2019 19:42:47 +0000"  >&lt;p&gt;Just a FYI, I tried it on &lt;b&gt;q1&lt;/b&gt; Vagrant and it has the same issue. Maybe Okapi can remove the non-authenticated token before returning the response.&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
x-okapi-token: eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJVTkRFRklORURfVVNFUl9fMTAuMC4yLjE1OjUzNTk0X18yMDE5LTA5LTI0VDE5OjMzOjUwLjU2NyswMDAwIiwibW9kdWxlIjoibW9kLWxvZ2luLTUuMS4wIiwiZXh0cmFfcGVybWlzc2lvbnMiOlsiYXV0aC5zaWdudG9rZW4iLCJhdXRoLnNpZ25yZWZyZXNodG9rZW4iLCJ1c2Vycy5jb2xsZWN0aW9uLmdldCIsInVzZXJzLml0ZW0ucHV0IiwidXNlcnMuaXRlbS5nZXQiLCJjb25maWd1cmF0aW9uLmVudHJpZXMuY29sbGVjdGlvbi5nZXQiXSwicmVxdWVzdF9pZCI6IjcwMTk1M1wvYXV0aG4iLCJ0ZW5hbnQiOiJkaWt1In0.EURjNFl1cUo38KmztOHLhvgkTLCtt2BA4-svStpOLoM
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;sub&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;UNDEFINED_USER__10.0.2.15:53594__2019-09-24T19:33:50.567+0000&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;module&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;mod-login-5.1.0&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;extra_permissions&quot;&lt;/span&gt;: [
    &lt;span class=&quot;code-quote&quot;&gt;&quot;auth.signtoken&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;auth.signrefreshtoken&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.item.put&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;configuration.entries.collection.get&quot;&lt;/span&gt;
  ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;request_id&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;701953/authn&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;tenant&quot;&lt;/span&gt;: &lt;span class=&quot;code-quote&quot;&gt;&quot;diku&quot;&lt;/span&gt;
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                                                            <comment id="193430" author="5cf6c546b87c300f36eb7b9a" created="Tue, 24 Sep 2019 20:48:05 +0000"  >&lt;p&gt;Also note that this is also an issue with /bl-users/login - though the token has different permissions:&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
  [
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;users.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;perms.users.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;perms.users.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;usergroups.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.service-points-users.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.service-points-users.item.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.service-points.collection.get&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;inventory-storage.service-points.item.get&quot;&lt;/span&gt;
  ]
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;Not sure if we need a separate issue for this or not...&lt;/p&gt;</comment>
                                                            <comment id="193434" author="557058:4f6bed01-40a6-48d5-8471-7ef21f5ea97c" created="Tue, 24 Sep 2019 20:52:18 +0000"  >&lt;p&gt;Looks to me all those perms are coming from the API level &lt;b&gt;modulePermissions&lt;/b&gt;. For example;&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/mod-login/blob/master/descriptors/ModuleDescriptor-template.json#L37-L40&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-login/blob/master/descriptors/ModuleDescriptor-template.json#L37-L40&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/mod-users-bl/blob/master/descriptors/ModuleDescriptor-template.json#L38-L49&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-users-bl/blob/master/descriptors/ModuleDescriptor-template.json#L38-L49&lt;/a&gt;&lt;/p&gt;
</comment>
                                                            <comment id="193440" author="5f8314dfbdef80006f6f572d" created="Wed, 25 Sep 2019 08:40:46 +0000"  >&lt;p&gt;Moving this issue to Folio because it&apos;s not related to mod-authtoken . The main problem is that all RMB modules echo most/all request headers to response. This makes mod-login return all its request headers - including X-Okapi-Token that it got from Okapi that contains module permissions for mod-login. The reason why it even works - when a successful login is performed must be due to RMB overriding the response header .. headers201().. thingy. But when that is not called due to error 400, the request headers are just relayed.&lt;/p&gt;

&lt;p&gt;While it&apos;s possible RMB and it &lt;b&gt;should&lt;/b&gt; be fixed so that RMB modules do not return response headers - not mentioned in RAML - except for fundamental ones, like Content-Type and Content-Length .. The problem is that it will take weeks for all modules to be updated to a fixed RMB. So for this reason, we believe it&apos;s best to make a change to Okapi to, at least, ignore the returned X-Okapi-Token in the &quot;faulty&quot; cases.&lt;/p&gt;</comment>
                                                            <comment id="193446" author="63e2a2771b13d42998e4e706" created="Wed, 25 Sep 2019 09:34:09 +0000"  >&lt;blockquote&gt;&lt;p&gt;The main problem is that all RMB modules echo most/all request headers to response. This makes mod-login return all its request headers - including X-Okapi-Token that it got from Okapi that contains module permissions for mod-login. &lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;Agreed, that has been bugging me for a while. I imagine in the early days it was convenient and useful for debugging.&lt;/p&gt;

&lt;p&gt;The reason why it even works - when a successful login is performed must be due to RMB overriding the response header .. headers201().. thingy. But when that is not called due to error 400, the request headers are just relayed.&lt;/p&gt;

&lt;p&gt;I didn&apos;t realise this didn&apos;t occur on success, only that it mattered less, because in that case the token would be replaced by a legitimate user token.&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;While it&apos;s possible RMB and it should be fixed so that RMB modules do not return response headers - not mentioned in RAML - except for fundamental ones, like Content-Type and Content-Length .. The problem is that it will take weeks for all modules to be updated to a fixed RMB. So for this reason, we believe it&apos;s best to make a change to Okapi to, at least, ignore the returned X-Okapi-Token in the &quot;faulty&quot; cases.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;This seems like a reasonable approach. What could be considered faulty? Is it based upon the module producing the response, the status code etc?&lt;/p&gt;</comment>
                                                            <comment id="193454" author="5f8314dfbdef80006f6f572d" created="Wed, 25 Sep 2019 09:44:49 +0000"  >&lt;p&gt;1. There&apos;s a PR for RMB out now &lt;a href=&quot;https://github.com/folio-org/raml-module-builder/pull/526&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/raml-module-builder/pull/526&lt;/a&gt; .. A matter of removing lines of code and a comment that it was problematic to just copy them down &lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/smile.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; Of course mod-login is using RMB 25.0.1 and  not RMB 27 and of course, it just hangs when you compile with RMB 27. We tried to backport the fix to the b25 branch without problems and we were able to install a mod-login on vagrant-testing box and saw that indeed that fixes the issue.&lt;/p&gt;

&lt;p&gt;2. It&apos;s not easy to fix it in Okapi and .. quite frankly, should we even bother? In general how can Okapi know what&apos;s a secret or not.. We know this one is. We&apos;ll see if wen can fix it there as well.&lt;/p&gt;

&lt;p&gt;The shortest path to fixing is - it seems - release RMB 25.0.2 and release mod-login using that.&lt;/p&gt;</comment>
                                                            <comment id="193460" author="63e2a2771b13d42998e4e706" created="Wed, 25 Sep 2019 09:51:01 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt; Thanks for the quick work.&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;2. It&apos;s not easy to fix it in Okapi and .. quite frankly, should we even bother? In general how can Okapi know what&apos;s a secret or not.. We know this one is. We&apos;ll see if wen can fix it there as well.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;I thought you were advocating for that change. My questions above were to explore the practicalities of that approach. I agree that it could get complicated and it might not be Okapi&apos;s place to do that.&lt;/p&gt;

&lt;blockquote&gt;&lt;p&gt;The shortest path to fixing is - it seems - release RMB 25.0.2 and release mod-login using that.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;I agree, that is the most expedient thing to do, and it resolves this issue. Broader changes can be deferred and thought about more.&lt;/p&gt;</comment>
                                                            <comment id="193465" author="5f8314dfbdef80006f6f572d" created="Wed, 25 Sep 2019 12:35:01 +0000"  >&lt;p&gt;mod-login 6.1.1 is now released. This hopefully resolves the immediate issue. All RMB based modules should be updated as well. After a user is logged in, all RMB modules &lt;b&gt;will&lt;/b&gt; return all headers, some of which should NOT be shared with users.&lt;/p&gt;</comment>
                                                            <comment id="193470" author="6291011f9c617b006a6f8d98" created="Wed, 25 Sep 2019 15:37:39 +0000"  >&lt;p&gt;How does this behave, when Okapi is secured? Or does this assume a secured Okapi?&lt;/p&gt;</comment>
                                                            <comment id="193478" author="5cffed1a5d548b0c51d6b19b" created="Wed, 25 Sep 2019 18:42:35 +0000"  >&lt;p&gt;Moved this bug to mod-login because FOLIO project is filtered out from release dashboard.&lt;/p&gt;</comment>
                                                            <comment id="193482" author="5f8314dfbdef80006f6f572d" created="Wed, 25 Sep 2019 19:58:53 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cffed1a5d548b0c51d6b19b&quot; class=&quot;user-hover&quot; rel=&quot;5cffed1a5d548b0c51d6b19b&quot; data-account-id=&quot;5cffed1a5d548b0c51d6b19b&quot; accountid=&quot;5cffed1a5d548b0c51d6b19b&quot; rel=&quot;noreferrer&quot;&gt;Anton Emelianov&lt;/a&gt; I&apos;m inclined to revert your project move..&lt;/p&gt;

&lt;p&gt;The product related issues and those that are pertained to Q3.2 releases are in 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;MODLOGIN-117&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODLOGIN-117&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Update to RMB 25.0.2&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            MODLOGIN-117
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;MODUSERBL-79&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODUSERBL-79&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Update to RMB 25.0.2&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium&quot; /&gt;
            MODUSERBL-79
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;RMB-468&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/RMB-468&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Foreign key field index&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium&quot; /&gt;
            RMB-468
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
.. &lt;/p&gt;

&lt;p&gt;The security issue does NOT only pertain to mod-login.&lt;/p&gt;</comment>
                                                            <comment id="193488" author="5f8314dfbdef80006f6f572d" created="Wed, 25 Sep 2019 20:00:53 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=6291011f9c617b006a6f8d98&quot; class=&quot;user-hover&quot; rel=&quot;6291011f9c617b006a6f8d98&quot; data-account-id=&quot;6291011f9c617b006a6f8d98&quot; accountid=&quot;6291011f9c617b006a6f8d98&quot; rel=&quot;noreferrer&quot;&gt;jroot&lt;/a&gt; .. not really related to secured Okapi at all.. If supertenant is secured , then that user (like others users) can be tampered with until this is fixed.&lt;/p&gt;</comment>
                                                            <comment id="193492" author="5cffed1a5d548b0c51d6b19b" created="Wed, 25 Sep 2019 20:35:00 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5f8314dfbdef80006f6f572d&quot; class=&quot;user-hover&quot; rel=&quot;5f8314dfbdef80006f6f572d&quot; data-account-id=&quot;5f8314dfbdef80006f6f572d&quot; accountid=&quot;5f8314dfbdef80006f6f572d&quot; rel=&quot;noreferrer&quot;&gt;Adam Dickmeiss&lt;/a&gt;, FOLIO project contains a lot of tickets that don&apos;t have any significance for product releases (a lot of DevOps staff, for example). This is why I am filtering out FOLIO project on release dashboards. I don&apos;t mind if you have a better home for this ticket other than FOLIO. &lt;/p&gt;</comment>
                                                            <comment id="193497" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 26 Sep 2019 05:47:33 +0000"  >&lt;p&gt;&lt;span class=&quot;error&quot;&gt;&amp;#91;EDITED&amp;#93;&lt;/span&gt; &lt;/p&gt;

&lt;p&gt;I have moved this ticket back to FOLIO as the issue is present in both mod-login and mod-users-bl. This also now fixed directly in those module (see linked BLOCKERs).&lt;/p&gt;

&lt;p&gt;This is the critical security problem, exploitable be a remote attacker &lt;del&gt;vs 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;FOLIO-2286&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-2286&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;X-Okapi-Module-Tokens response header providing access to unauthenticated users&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            FOLIO-2286
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 which is only exploitable locally (we believe).&lt;/del&gt;&lt;/p&gt;</comment>
                                                            <comment id="193502" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 26 Sep 2019 16:18:01 +0000"  >&lt;p&gt;Verified by &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="35185">MODLOGIN-117</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="35342">MODUSERBL-79</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="81441">FOLIO-2286</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="54092">OKAPI-763</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="35191">MODLOGIN-119</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="57104">RMB-478</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="61925">STCOR-391</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i006k7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1419">CP: sprint 73</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10044" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Tue, 24 Sep 2019 19:11:11 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>