Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] Come with security out of the box #109

Closed
teohhanhui opened this issue Jun 23, 2016 · 13 comments
Closed

[RFC] Come with security out of the box #109

teohhanhui opened this issue Jun 23, 2016 · 13 comments

Comments

@teohhanhui
Copy link
Contributor

We should be more opinionated at least for the standard edition. As it is, the security part is being completely left out.

I suggest we can start by including JWT-based authentication. And probably add some authorization mechanism in api-platform/core (see discussion at api-platform/core#583).

@dunglas
Copy link
Member

dunglas commented Jun 23, 2016

I'm 100% sharing this point of view. I've not already done it because LexikJwtAuthenticationBundle requires the OpenSSL command to be available in the path, but it can be worked around by accepting to store the security key as a string (a Symfony parameter) instead of as a path to a file.

Btw it will make LexikJwtAuthenticationBundle easier to use on PaS relying on environment variables (like Heroku).

@teohhanhui
Copy link
Contributor Author

Why would it require the openssl command in PATH?

https://github.com/lexik/LexikJWTAuthenticationBundle/blob/d8e1a97a7e09280b795a66b0ffa705185795ee32/Services/OpenSSLKeyLoader.php

It's using openssl_pkey_get_private / openssl_pkey_get_public.

@dunglas
Copy link
Member

dunglas commented Jun 23, 2016

For the initial setup (for the standard edition): https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md#installation

This is indeed not mandatory at runtime.

@teohhanhui
Copy link
Contributor Author

I don't believe that it should be auto-generated, because these keys need to remain the same across deployments (otherwise the JWT signature verification would fail).

If we're thinking about auto-generating the keys for a development environment, it should perhaps be done in the Docker startup script. And I think openssl is already included in the Docker image we're using :)

@Simperfit
Copy link
Contributor

I totally agree about that too. It can be done easily and yes, the openssl is in our docker image ;)

@Simperfit
Copy link
Contributor

What can we secure ? do we secure the default entity for exemple ?

@regniblod
Copy link

Any updates on this?

@lemoinem
Copy link

Hi guys!

Reading on this got me thinking about the current state-of-the-art of security in REST APIs and Web Apps based on them.

I wrote a little (ok, not quite so little) piece on that: http://blog.mlemoine.name/2017/04/22/REST-APIs-authentication-and-security.html .

Initial feedback has been good and I thought you could be interested by it. It might help to provide some ideas regarding the "Secure by default" issue and make API Platform even better than it already is.

Any feedback welcome (email or private feedback might be better than this issue, I don't want to hijack it).

@lemoinem
Copy link

I've just found https://github.com/Spomky-Labs/jose-bundle which seem to support pretty much everything you could think of in term of JWT implementation.
They seem to have a much bigger feature set than LexikJWTAuthenticationBundle...

@magarzon
Copy link

@lemoinem where do you see bigger feature? There is a great lack of documentation in that bundle, that I think it's as important as the features, but in a quick look, I haven't even seen anything that LexikJWTAuthenticationBundle is not doing

@lemoinem
Copy link

lemoinem commented May 28, 2017

Well, support of JWE and everything related to encryption. As far as I could see, Lexik only supports JWS. That's the most important feature
I'm currently in the process of implementing the Authentication API I described in my blog posts.
I will try and package it as a bundle and post an alpha version soon.

If Lexik does support JWE, I will double check my assumptions and see if the implementation is easier with Lexik (or even If I can easily support both).

@Simperfit
Copy link
Contributor

Do we still want to do something by default ?

@Simperfit
Copy link
Contributor

Closing as this gets no feedback, if we want to provide security by default, please feel free to re-open or to provide a PR directly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants