<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:05:19 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-378] Validate tenant-ID against host header</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-378</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Requests sent to Okapi will be on some tenant-specific hostname, and will also send a tenant-ID in the &lt;tt&gt;X-Okapi-Tenant&lt;/tt&gt; header. The back-end should protect against MITM attacks by validating that the asserted tenant-ID is valid for use on the hostname.&lt;/p&gt;

&lt;p&gt;(Before we can do this, we will need to figure out how tenant-specific hostnames are generated or configured, and how Okapi can obtain that information.)&lt;/p&gt;</description>
                <environment></environment>
        <key id="79976">FOLIO-378</key>
            <summary>Validate tenant-ID against host header</summary>
                <type id="10002" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium">New Feature</type>
                                            <priority id="10003" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p4.svg">P4</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10000">Won&apos;t Do</resolution>
                                                        <assignee accountid="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a">Heikki Levanto</assignee>
                                                                <reporter accountid="5bffed52a1b46046f530c8f7">Mike Taylor</reporter>
                                    <labels>
                    </labels>
                <created>Wed, 9 Nov 2016 20:59:52 +0000</created>
                <updated>Mon, 12 Nov 2018 14:23:19 +0000</updated>
                            <resolved>Tue, 22 Nov 2016 09:28:58 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>2</watches>
                                                    <timespent seconds="3600">1 hour</timespent>
                                <comments>
                                                            <comment id="188213" author="5bffed52a1b46046f530c8f7" created="Wed, 9 Nov 2016 21:03:51 +0000"  >&lt;p&gt;The real issue here may be that the UI ought to be sending proper encrypted/signed authentication tokens. See 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;STRIPES-42&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/STRIPES-42&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Send authorization header&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10322?size=medium&quot; /&gt;
            STRIPES-42
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
.&lt;/p&gt;</comment>
                                                            <comment id="188214" author="712020:38d1a08f-86a8-4df2-9191-239b16b0a81a" created="Mon, 21 Nov 2016 14:41:53 +0000"  >&lt;p&gt;I don&apos;t see much need to validate the HOST header. The security comes from logging in to a given tenant with valid credentials. After that, the tenant information is carried in the X-Okapi-Token, and is no longer needed. The client may try to use a differetn X-Okapi-Tenant header, but Okapi will catch that, and refuse the whole request.&lt;/p&gt;

&lt;p&gt;If we ever set up a database of HOST names and matching tenants, this could be used for guessing the Tenant at the login time, but I don&apos;t see much need for that.&lt;/p&gt;

&lt;p&gt;Yes, the UI should start with a login and pass the token around.&lt;/p&gt;
</comment>
                                                            <comment id="188215" author="5bffed52a1b46046f530c8f7" created="Mon, 21 Nov 2016 16:05:41 +0000"  >&lt;p&gt;OK, no problem. If you&apos;re happy about this, you should just close this as WONTFIX.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="60847">STRIPES-42</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzxhsn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 21 Nov 2016 14:41:53 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>