You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now, requests with admin rights can only come from reg-regsys-classic, that is, from the space behind the Apache reverse proxy.
This presents an opportunity to protect against admin requests coming in over the API, until 2FA becomes available:
Requests should only count as "admin" in IdentityManager, if in addition to having a token with the admin group, they also come with Header "X-Admin-Request" = "available". This header will be blocked in the Apache reverse proxy, just like the "X-Api-Token" header already is.
This is the respective implementation in reg-attendee-service.
// checkInternalAdminRequestHeader is a temporary safety measure until we have 2FA for admins.
//
// enforce extra internal request header for admin requests (header blocked for external requests)
//
// TODO: remove this workaround
func checkInternalAdminRequestHeaderForGroup(ctx context.Context, r *http.Request, group string) bool {
if group == config.OidcAdminGroup() {
adminRequestHeaderValue := r.Header.Get("X-Admin-Request")
if adminRequestHeaderValue != "available" {
aulogging.Logger.Ctx(ctx).Warn().Print("X-Admin-Request header was not set correctly!")
return false
}
}
return true
}
Should also be added to payment service, clearly marked as TODO to remove again when 2FA is here.
The text was updated successfully, but these errors were encountered:
Right now, requests with admin rights can only come from reg-regsys-classic, that is, from the space behind the Apache reverse proxy.
This presents an opportunity to protect against admin requests coming in over the API, until 2FA becomes available:
Requests should only count as "admin" in IdentityManager, if in addition to having a token with the admin group, they also come with Header "X-Admin-Request" = "available". This header will be blocked in the Apache reverse proxy, just like the "X-Api-Token" header already is.
This is the respective implementation in reg-attendee-service.
Should also be added to payment service, clearly marked as TODO to remove again when 2FA is here.
The text was updated successfully, but these errors were encountered: