Details
Critical Description
As documented in the live API documentation available here: https://demo.openmf.org/api-docs/apiLive.htm#authentication
Clients must send username and password as URL params of the API endpoint
...
function setBasicAuthKey(username, password) { var jqxhr = $.ajax({ url : "authentication?username=" + username + "&password=" + password, type : 'POST',
...
This could cause issues with credentials leakage if the platform is deployed in an environment where there is server-side URL logging. Access to those logs would expose passwords.
Proposed solution is to alternatively allow sending username and password as request body or as a header.
Something similar happens with the OAuth endpoint:
var jqxhr = $.ajax({ url : "/fineract-provider/api/oauth/token?username=" + credentials.username + "&password=" + credentials.password +"&client_id=community-app&grant_type=password&client_secret=123
Solution proposal
Alternatively, allow credentials to be sent as part of the request payload. It would be less prone to leakage in case there is server-side URL logging.
For the /authentication endpoint it might make sense as well to support the standard Basic Http Auth header already base64-encoded.
Attachments
Issue Links
- duplicates
-
FINERACT-726 Changes to /authentication API's to pass data as part of request body
-
- Resolved
-
- requires
-
FINERACT-1145 OAuth Support documentation is missing
-
- Resolved
-
-
-
- Resolved
-
- links to