IBX-5985: Added ability to check user against "X-Expected-User" header

[Steveb-p]

Question	Answer
JIRA issue	IBX-5985
Type	improvement
Target version	v4.5 (can be backported?)
BC breaks	no
Tests pass	yes
Doc needed	yes

This is PoC for handling of a special header to check that the user we are executing query with is the same as the REST client expects.

Handles cases where authentication has expired and we would otherwise receive a response for anonymous.

TODO:

• Implement tests.
• Fix new code according to Coding Standards ($ composer fix-cs).
• Ask for Code Review.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
1 Code Smell

No Coverage information
0.0% Duplication

[alongosz]

@Steveb-p From my POV it would be better to have a Response containing header stating X-Authenticated-As: admin. I don't see much security concerns here vs the proposition you have, because both methods allow getting information about authenticated user. But maybe for mine we could have semantic config set by default to false if someone thinks that reveals some information.

[Steveb-p]

@Steveb-p From my POV it would be better to have a Response containing header stating X-Authenticated-As: admin. I don't see much security concerns here vs the proposition you have, because both methods allow getting information about authenticated user. But maybe for mine we could have semantic config set by default to false if someone thinks that reveals some information.

It's not about security. It's about the fact that session might expire when performing REST request, and you would not realize that it happened. Querying for session is a solution, but performing a check each and every time you need to do something is highly innefficient at best.

Request listener has the advantage of stopping the application from performing any queries (database, search, so on) at the very moment there is a discrepancy between expected and actual user. Adding a response header helps for sure, but we can limit the resource usage.

EDIT: Also note this prevents POSTing data as a wrong user (anonymous).

[adamwojs]

@ibexa/php-dev What is the consensus here?

[bdunogier]

As far as I'm concerned, and I have spent a lot of time facing that particular problem (anonymous is a user and can use most resources without any error happening), I really, really like this solution. It will tremendously help with Ibexa Connect and overall any headless app.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
1 Code Smell

No Coverage information
0.0% Duplication

[tomaszszopinski]

A note form Paweł: this functionality could be expanded into email comparison (if theres an interest from client).

[tomaszszopinski]

QA approved on IbexaDXP 4.5 commerce.

[Steveb-p]

Merged up into main in bb782c9.

[bdunogier]

Really good feature, thank you all. Now we just need to implement this in Ibexa Connect :)