You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
So this started out with me creating a chrome extension for the team to get notified when new alerts are created in hive. This works by pulling the API every 30 seconds to a minute and looking at the number of alerts and source references. (Yes I can publish this once its done). However I wanted to make a user with read only access and use the same API token for the extension for everyone on the team rather then sending each user their own token.. (I know probably not the best solution but it was a work in progress) However when i started playing with this I realized that it created a session with Hive and logged the UI into the same user that was making the API calls.. In one way this is very convenient because if you just use your API token you are always logged in :)
... However when i started to think about this more I started to see some issues with this because it would be easy for an admin to assume the role of any user and make calls via the UI (I dont think the audit trail shows if changes were made via UI or API - this would be useful too) I am also wondering how this would affect users when using other authentication methods like LDAP or X.509? Could you bypass MFA when using an SSO service that supports X.509 and MFA?
Solutions
When making calls with an API token maybe don't return a session cookie? Or atleast a cookie that allows access to non-api calls?
Also in my use case it would be nice to be able to make API calls with out sending the API token in the headers (It seems like this might be doable for a quick test) and just use the current users session, thus forcing them to log back in if it has been too long.
The text was updated successfully, but these errors were encountered:
Request Type
Bug
Work Environment
Problem Description
So this started out with me creating a chrome extension for the team to get notified when new alerts are created in hive. This works by pulling the API every 30 seconds to a minute and looking at the number of alerts and source references. (Yes I can publish this once its done). However I wanted to make a user with read only access and use the same API token for the extension for everyone on the team rather then sending each user their own token.. (I know probably not the best solution but it was a work in progress) However when i started playing with this I realized that it created a session with Hive and logged the UI into the same user that was making the API calls.. In one way this is very convenient because if you just use your API token you are always logged in :)
... However when i started to think about this more I started to see some issues with this because it would be easy for an admin to assume the role of any user and make calls via the UI (I dont think the audit trail shows if changes were made via UI or API - this would be useful too) I am also wondering how this would affect users when using other authentication methods like LDAP or X.509? Could you bypass MFA when using an SSO service that supports X.509 and MFA?
Solutions
When making calls with an API token maybe don't return a session cookie? Or atleast a cookie that allows access to non-api calls?
Also in my use case it would be nice to be able to make API calls with out sending the API token in the headers (It seems like this might be doable for a quick test) and just use the current users session, thus forcing them to log back in if it has been too long.
The text was updated successfully, but these errors were encountered: