New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Session cookie received with API token #864

Closed
zpriddy opened this Issue Feb 2, 2019 · 3 comments

Comments

Projects
None yet
3 participants
@zpriddy
Copy link
Contributor

zpriddy commented Feb 2, 2019

Request Type

Bug

Work Environment

Question Answer
TheHive version / git hash 3.2.1

Problem Description

So this started out with me creating a chrome extension for the team to get notified when new alerts are created in hive. This works by pulling the API every 30 seconds to a minute and looking at the number of alerts and source references. (Yes I can publish this once its done). However I wanted to make a user with read only access and use the same API token for the extension for everyone on the team rather then sending each user their own token.. (I know probably not the best solution but it was a work in progress) However when i started playing with this I realized that it created a session with Hive and logged the UI into the same user that was making the API calls.. In one way this is very convenient because if you just use your API token you are always logged in :)

... However when i started to think about this more I started to see some issues with this because it would be easy for an admin to assume the role of any user and make calls via the UI (I dont think the audit trail shows if changes were made via UI or API - this would be useful too) I am also wondering how this would affect users when using other authentication methods like LDAP or X.509? Could you bypass MFA when using an SSO service that supports X.509 and MFA?

Solutions

When making calls with an API token maybe don't return a session cookie? Or atleast a cookie that allows access to non-api calls?

Also in my use case it would be nice to be able to make API calls with out sending the API token in the headers (It seems like this might be doable for a quick test) and just use the current users session, thus forcing them to log back in if it has been too long.

@zpriddy

This comment has been minimized.

Copy link
Contributor Author

zpriddy commented Feb 2, 2019

This looks like it could be in a way related to #537

@nadouani

This comment has been minimized.

Copy link
Contributor

nadouani commented Feb 5, 2019

Hello @zpriddy, we will address this issue, we will remove the session cookie from api call using API Key.

@nadouani nadouani added the bug label Feb 5, 2019

@nadouani nadouani added this to the 3.3.0 milestone Feb 5, 2019

@To-om

This comment has been minimized.

Copy link
Contributor

To-om commented Feb 5, 2019

The fix requires new version of elastic4play (1.8 which include TheHive-Project/elastic4play#78)

@To-om To-om closed this Feb 5, 2019

@To-om To-om added enhancement and removed bug labels Feb 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment