-
Notifications
You must be signed in to change notification settings - Fork 185
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF attack possibility? #31
Comments
Hi @eayin2, I like the idea of adding HTTP authentication, maybe it could use Flask-HTTPAuth?! e.g: from flask_httpauth import HTTPBasicAuth
sched = APScheduler()
sched.auth = HTTPBasicAuth()
sched.init_app(app)
@sched.auth.get_password
def get_password(username):
# get the password from database
return ... And to make a request:
If What do you think? |
Sounds good and with the request module an HTTP request would look like:
Hm, I think that should prevent any CSRF attack and we don't really need confidentiality so basic HTTP auth should suffice. Also HTTP requests to flask-apscheduler are preferably sent on the localhost. |
Hi @eayin2 I did a first version of authentication, it isn't using any external library. I added an example of how to use it: Authentication is disabled by default. Let me know what you think. |
Just tested it and it works fine for me, thank you! :) |
Hi @eayin2 I've made some changes in the authentication, now there are some classes to deal with the authentication methods. Take a look at the examples to set how to enable the HTTP basic authentication. https://github.com/viniciuschiele/flask-apscheduler/blob/master/examples/auth.py#L18 |
Is a REST API around apscheduler not coming with the risk of CSRF attacks, considering that someone could add a job by having you click on a link which sends a HTTP POST request to add a job? https://github.com/viniciuschiele/flask-apscheduler/blob/master/flask_apscheduler/views.py#L35-L46 ?
I'd allow access to flask-apscheduler only from localhost, but it might not be sufficient (see: https://lwn.net/Articles/703485/), if you just click a bad link, which knows about your flask-apscheduler service and adds a job to it. If you don't run a webbrowser on your production server you're fine, because then you don't click on any links, but maybe it should still be considered?
A workaround could be to add jobs via a configuration file (so you are secured by linux file permissions) and then send a REST API request to reload jobs from the configuration file?
Maybe also adding authentication to HTTP requests could improve security?
The text was updated successfully, but these errors were encountered: