Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[RFC] Come with security out of the box #109

Closed
teohhanhui opened this issue Jun 23, 2016 · 13 comments

Comments

Projects
None yet
6 participants
@teohhanhui
Copy link
Member

commented Jun 23, 2016

We should be more opinionated at least for the standard edition. As it is, the security part is being completely left out.

I suggest we can start by including JWT-based authentication. And probably add some authorization mechanism in api-platform/core (see discussion at api-platform/core#583).

@teohhanhui teohhanhui added the question label Jun 23, 2016

@dunglas

This comment has been minimized.

Copy link
Member

commented Jun 23, 2016

I'm 100% sharing this point of view. I've not already done it because LexikJwtAuthenticationBundle requires the OpenSSL command to be available in the path, but it can be worked around by accepting to store the security key as a string (a Symfony parameter) instead of as a path to a file.

Btw it will make LexikJwtAuthenticationBundle easier to use on PaS relying on environment variables (like Heroku).

@teohhanhui

This comment has been minimized.

Copy link
Member Author

commented Jun 23, 2016

Why would it require the openssl command in PATH?

https://github.com/lexik/LexikJWTAuthenticationBundle/blob/d8e1a97a7e09280b795a66b0ffa705185795ee32/Services/OpenSSLKeyLoader.php

It's using openssl_pkey_get_private / openssl_pkey_get_public.

@dunglas

This comment has been minimized.

Copy link
Member

commented Jun 23, 2016

For the initial setup (for the standard edition): https://github.com/lexik/LexikJWTAuthenticationBundle/blob/master/Resources/doc/index.md#installation

This is indeed not mandatory at runtime.

@teohhanhui

This comment has been minimized.

Copy link
Member Author

commented Jun 23, 2016

I don't believe that it should be auto-generated, because these keys need to remain the same across deployments (otherwise the JWT signature verification would fail).

If we're thinking about auto-generating the keys for a development environment, it should perhaps be done in the Docker startup script. And I think openssl is already included in the Docker image we're using :)

@Simperfit

This comment has been minimized.

Copy link
Member

commented Oct 29, 2016

I totally agree about that too. It can be done easily and yes, the openssl is in our docker image ;)

@Simperfit

This comment has been minimized.

Copy link
Member

commented Nov 10, 2016

What can we secure ? do we secure the default entity for exemple ?

@regniblod

This comment has been minimized.

Copy link

commented Jan 26, 2017

Any updates on this?

@lemoinem

This comment has been minimized.

Copy link

commented May 16, 2017

Hi guys!

Reading on this got me thinking about the current state-of-the-art of security in REST APIs and Web Apps based on them.

I wrote a little (ok, not quite so little) piece on that: http://blog.mlemoine.name/2017/04/22/REST-APIs-authentication-and-security.html .

Initial feedback has been good and I thought you could be interested by it. It might help to provide some ideas regarding the "Secure by default" issue and make API Platform even better than it already is.

Any feedback welcome (email or private feedback might be better than this issue, I don't want to hijack it).

@lemoinem

This comment has been minimized.

Copy link

commented May 25, 2017

I've just found https://github.com/Spomky-Labs/jose-bundle which seem to support pretty much everything you could think of in term of JWT implementation.
They seem to have a much bigger feature set than LexikJWTAuthenticationBundle...

@magarzon

This comment has been minimized.

Copy link

commented May 25, 2017

@lemoinem where do you see bigger feature? There is a great lack of documentation in that bundle, that I think it's as important as the features, but in a quick look, I haven't even seen anything that LexikJWTAuthenticationBundle is not doing

@lemoinem

This comment has been minimized.

Copy link

commented May 28, 2017

Well, support of JWE and everything related to encryption. As far as I could see, Lexik only supports JWS. That's the most important feature
I'm currently in the process of implementing the Authentication API I described in my blog posts.
I will try and package it as a bundle and post an alpha version soon.

If Lexik does support JWE, I will double check my assumptions and see if the implementation is easier with Lexik (or even If I can easily support both).

@Simperfit

This comment has been minimized.

Copy link
Member

commented Apr 6, 2018

Do we still want to do something by default ?

@Simperfit

This comment has been minimized.

Copy link
Member

commented May 3, 2018

Closing as this gets no feedback, if we want to provide security by default, please feel free to re-open or to provide a PR directly.

@Simperfit Simperfit closed this May 3, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.