-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IBX-5985: Added ability to check user against "X-Expected-User" header #56
Conversation
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Steveb-p From my POV it would be better to have a Response containing header stating X-Authenticated-As: admin
. I don't see much security concerns here vs the proposition you have, because both methods allow getting information about authenticated user. But maybe for mine we could have semantic config set by default to false if someone thinks that reveals some information.
It's not about security. It's about the fact that session might expire when performing REST request, and you would not realize that it happened. Querying for session is a solution, but performing a check each and every time you need to do something is highly innefficient at best. Request listener has the advantage of stopping the application from performing any queries (database, search, so on) at the very moment there is a discrepancy between expected and actual user. Adding a response header helps for sure, but we can limit the resource usage. EDIT: Also note this prevents POSTing data as a wrong user (anonymous). |
@ibexa/php-dev What is the consensus here? |
As far as I'm concerned, and I have spent a lot of time facing that particular problem (anonymous is a user and can use most resources without any error happening), I really, really like this solution. It will tremendously help with Ibexa Connect and overall any headless app. |
Co-authored-by: Adam Wójs <adam@wojs.pl>
Kudos, SonarCloud Quality Gate passed! 0 Bugs No Coverage information |
A note form Paweł: this functionality could be expanded into email comparison (if theres an interest from client). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
QA approved on IbexaDXP 4.5 commerce.
Merged up into |
Really good feature, thank you all. Now we just need to implement this in Ibexa Connect :) |
v4.5
(can be backported?)This is PoC for handling of a special header to check that the user we are executing query with is the same as the REST client expects.
Handles cases where authentication has expired and we would otherwise receive a response for anonymous.
TODO:
$ composer fix-cs
).