Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add dialog token auth check on subscriptions #1104

Closed
1 of 4 tasks
oskogstad opened this issue Sep 9, 2024 · 0 comments
Closed
1 of 4 tasks

Add dialog token auth check on subscriptions #1104

oskogstad opened this issue Sep 9, 2024 · 0 comments
Assignees
@oskogstad @knuhau

Comments

@oskogstad
Copy link
Collaborator

oskogstad commented Sep 9, 2024
edited by knuhau
Loading

Introduction

GraphQL subscriptions currently requires a valid JWT.
However, when subscribing to a topic, there are no checks for auth/validity of the dialogID.
This is a possible attack surface

Implementation

Require a DialogToken when subscribing to a topic.
Check the i claim against the subscription dialogId

Tasks
Preview Give feedback

Threat modelling
Preview Give feedback
@oskogstad oskogstad mentioned this issue Sep 11, 2024
Merged
4 tasks
oskogstad added a commit that referenced this issue Sep 30, 2024
@oskogstad @MagnusSandgren @knuhau
feat(GraphQL): Add DialogToken requirement for subscriptions (#1124)
651ca62 
<!--- Provide a general summary of your changes in the Title above -->

## Description

DialogEvents subscription now requires a valid DialogToken

<!--- Describe your changes in detail -->

## Related Issue(s)

- #1104 

## Verification

- [x] **Your** code builds clean without any errors or warnings
- [ ] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

## Summary by CodeRabbit

- **New Features**
- Enhanced security for `dialogEvents` subscription with new
authorization requirements.
	- Introduced `DialogTokenMiddleware` for handling JWT in requests.
	- Added methods to extract dialog ID from subscription operations.
	- New constant for dialog token issuer version introduced.

- **Bug Fixes**
- Improved authorization policies with added null checks and
validations.

- **Documentation**
- Updated configuration settings for local development to enable
authentication and adjust JWT generation settings.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Magnus Sandgren <5285192+MagnusSandgren@users.noreply.github.com>
Co-authored-by: Knut Haug <knut.espen.haug@digdir.no>
@elsand elsand closed this as completed Oct 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oskogstad oskogstad

@knuhau knuhau

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@elsand @oskogstad @knuhau