-
-
Notifications
You must be signed in to change notification settings - Fork 554
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v3: authentication is run after validation #2116
Comments
By design, the authentication runs at the endpoint level and not at the transport level. But the request validations happen at the transport level. I think this might be ok for most use cases. I will defer that to @raphael . You can however provide your own HTTP middleware to do authentication before any of these validations occur. |
I see the main problem on enums or regex validations containing exposed values:
|
It should be possible to move the validation of payload (and responses in clients to be consistent) to the endpoint which would alleviate this issue. I'd happily merge a PR that did that. |
@raphael Do you have any hints to get startet with that PR? |
I started looking into this one. I setup a project with a design that demonstrates the issue. It looks like this is only an issue on the http transport code where the authorization related error is merged with the validation errors, the grpc code returns the error right away on auth failure and doesn't get to the other validations. Of course I'm only looking at one simple use case and I know the templates are more complex than this. See my use cases here the http one: and here the grpc one: It looks like this code is generated by: https://github.com/goadesign/goa/blob/v3/http/codegen/server.go#L137 I'm starting to get my head around how the generation works now that I've started investigating this...still a lot to learn. That method references the templates defined later in the same file. I'm still looking at those and started adding a test similar to query-string-validate from: https://github.com/goadesign/goa/blob/v3/http/codegen/server_decode_test.go#L37 That will exercise this use case. It looks like this may be as easy as moving the authorization related blocks up in the templates and ensuring they return their errors rather than merging them with validation errors. I'm not sure if there are any impacts or related changes required in the gokit plugin, it looks like it just wraps the functions generated by goa, so I think nothing has to change there. |
Sorry @eric-isakson, I lost track of this issue - will take a look. |
@raphael no worries, I had not spent any real time on it other than using it to learn more of the generation details. The linked commit in my fork is just trying to capture the issue as a failing test, not really sure what the right fixes might be. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Seems like validation of path parameters on HTTP runs before authentication, which can lead to information leaking.
e.g. using
in a method with e.g. BasicAuth security leads to:
instead of:
BTW: Goa's 400 response above is missing the Goa-Error header - is that a separate issue?
The text was updated successfully, but these errors were encountered: