10000 Undocumented REST API connexion · Issue #6 · lirmm/waves-core · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Undocumented REST API connexion #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
CVroland opened this issue Nov 5, 2018 · 3 comments
Open

Undocumented REST API connexion #6

CVroland opened this issue Nov 5, 2018 · 3 comments

Comments

@CVroland
Copy link
CVroland commented Nov 5, 2018 < 8000 span class="d-inline-block color-fg-muted">•
edited
Loading

It is possible to connect a client with username/password in the REST API with :

from coreapi import Client, auth
url='http://127.0.0.1:8000/api/schema'
username='toto'
password='secret123'
client = Client(
            auth=auth.BasicAuthentication(
                username=username, 
                password=password))
document = client.get(url)

But this method is not in the documentation.
@vincent-lefort
Copy link
Collaborator

As the login/password are sent without encryption, this is an unsecured way to get authenticated to the server through the API. We recommend not to do so. You would rather authenticate using a token.

@CVroland
Copy link
Author

If the web site is in HTTPS, it should be OK. The encryption should be ensure by the security level of the protocol.

Moreover, if sending username and password in plain text is a problem, the HTML connection page is also unsecured. It's a simple form without any security part. I don't see any JS script. It sending a value for csrfmiddlewaretoken (security against cross-site request forgery), id_username (username), id_password (password) and next (page to open after the connection)
(maybe create another issue for this ?)

@marcoooo
Copy link
Contributor

If the web site is in HTTPS, it should be OK. The encryption should be ensure by the security level of the protocol.

Moreover, if sending username and password in plain text is a problem, the HTML connection page is also unsecured. It's a simple form without any security part. I don't see any JS script. It sending a value for csrfmiddlewaretoken (security against cross-site request forgery), id_username (username), id_password (password) and next (page to open after the connection)
(maybe create another issue for this ?)

Well, HTTPS should be set everywhere, I completely agree.

Sign up for free to join this conversation on GitHu 44E5 b. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcoooo @CVroland @vincent-lefort
0