Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Remove access to CDAP_Auth_Token in frontend and mark it httpOnly

Description

Currently we are accessing the CDAP_Auth_Token cookie in the client side JS script to set the Authorization header in some requests.

 

This is not a secure practice. Following is a list of changes to make this auth flow more secure.

  1. It must be ensured that the CDAP instances are configured with the ssl.external.enabled flag set to true. (Not a responsibility of the cdap-ui package, this must be ensured at installation of cdap).

  2. The CDAP_Auth_Token cookie must be set by the server, on user login, with the Secure , SameSite: strict and HttpOnly flags.

  3. The CDAP_Auth_Token cookie must not be accessed / read by the client side JS. (client side JS can not read it, as it is now set with the HttpOnly flag by the server).

  4. When a request is received by the ui server, the ui server must check for the CDAP_Auth_Token cookie and use its value to set the Authorization header before proxying the request to the backend servers.

Release Notes

None

Activity

Show:
Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Docs Impact

No

UX Impact

No

Affects versions

Triaged

Yes

Size

M

Components

Fix versions

Due date

Priority

Created April 15, 2024 at 1:48 PM
Updated April 15, 2024 at 6:34 PM
Resolved April 15, 2024 at 6:34 PM