-
-
Notifications
You must be signed in to change notification settings - Fork 955
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Come with security out of the box #109
Comments
I'm 100% sharing this point of view. I've not already done it because LexikJwtAuthenticationBundle requires the OpenSSL command to be available in the path, but it can be worked around by accepting to store the security key as a string (a Symfony parameter) instead of as a path to a file. Btw it will make LexikJwtAuthenticationBundle easier to use on PaS relying on environment variables (like Heroku). |
Why would it require the It's using |
For the initial setup (for the standard edition): https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md#installation This is indeed not mandatory at runtime. |
I don't believe that it should be auto-generated, because these keys need to remain the same across deployments (otherwise the JWT signature verification would fail). If we're thinking about auto-generating the keys for a development environment, it should perhaps be done in the Docker startup script. And I think openssl is already included in the Docker image we're using :) |
I totally agree about that too. It can be done easily and yes, the openssl is in our docker image ;) |
What can we secure ? do we secure the default entity for exemple ? |
Any updates on this? |
Hi guys! Reading on this got me thinking about the current state-of-the-art of security in REST APIs and Web Apps based on them. I wrote a little (ok, not quite so little) piece on that: http://blog.mlemoine.name/2017/04/22/REST-APIs-authentication-and-security.html . Initial feedback has been good and I thought you could be interested by it. It might help to provide some ideas regarding the "Secure by default" issue and make API Platform even better than it already is. Any feedback welcome (email or private feedback might be better than this issue, I don't want to hijack it). |
I've just found https://github.com/Spomky-Labs/jose-bundle which seem to support pretty much everything you could think of in term of JWT implementation. |
@lemoinem where do you see bigger feature? There is a great lack of documentation in that bundle, that I think it's as important as the features, but in a quick look, I haven't even seen anything that LexikJWTAuthenticationBundle is not doing |
Well, support of JWE and everything related to encryption. As far as I could see, Lexik only supports JWS. That's the most important feature If Lexik does support JWE, I will double check my assumptions and see if the implementation is easier with Lexik (or even If I can easily support both). |
Do we still want to do something by default ? |
Closing as this gets no feedback, if we want to provide security by default, please feel free to re-open or to provide a PR directly. |
We should be more opinionated at least for the standard edition. As it is, the security part is being completely left out.
I suggest we can start by including JWT-based authentication. And probably add some authorization mechanism in
api-platform/core
(see discussion at api-platform/core#583).The text was updated successfully, but these errors were encountered: