View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0006633 | libeufin | libeufin-nexus | public | 2020-10-29 22:10 | 2023-02-02 00:25 |
| Reporter | MS | Assigned To | MS | ||
| Priority | urgent | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Target Version | 0.9.1 | ||||
| Summary | 0006633: Not all the requests get authenticated! | ||||
| Description | Make sure that all the requests check the Authorization-header. | ||||
| Tags | No tags attached. | ||||
|
|
It seems that some Taler facade API calls do not check any authorization. Beside that, all the "direct" EBICS operations (like /send-ini, for example) do not check the authorization neither. |
|
|
Errata: Taler does check for authorization, just "later" in the flow, in the context of checking the permissions over the resources being offered. The only exception is /admin/add/incoming offered by Nexus. There no authentication gets checked, because nothing is to protect: see 0007588 |
|
|
Adding here the missing authentication checks: b714f8cd..fe4eaf34 The access control for the Nexus native API should be made however finer grained, as every call expects superuser privileges; tests and deployment fulfill that. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2020-10-29 22:10 | MS | New Issue | |
| 2020-11-10 11:47 | MS | Target Version | => 0.9.2 |
| 2021-01-14 00:27 | Florian Dold | Assigned To | => Florian Dold |
| 2021-01-14 00:27 | Florian Dold | Status | new => assigned |
| 2021-01-14 00:27 | Florian Dold | Priority | normal => urgent |
| 2021-05-27 10:35 | MS | Note Added: 0017911 | |
| 2021-05-27 10:36 | MS | Note Edited: 0017911 | |
| 2021-05-27 10:47 | MS | Note Added: 0017912 | |
| 2023-01-08 11:22 | Christian Grothoff | Target Version | 0.9.2 => 0.9.1 |
| 2023-01-10 18:54 | Florian Dold | Assigned To | Florian Dold => MS |
| 2023-01-15 17:48 | MS | Note Edited: 0017912 | |
| 2023-01-15 18:47 | MS | Note Added: 0019669 | |
| 2023-01-15 18:47 | MS | Status | assigned => resolved |
| 2023-01-15 18:47 | MS | Resolution | open => fixed |
| 2023-02-02 00:25 | Christian Grothoff | Status | resolved => closed |
| 2023-04-13 20:38 | Florian Dold | Category | nexus => libeufin-nexus |
