-
Notifications
You must be signed in to change notification settings - Fork 3.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
apiv2: accept cookie auth when header is non-empty
In order to make use of HTTP endpoints under `/api/v2` in the DB Console it is necessary to support cookie-based authentication for ergonomic Javascript use. Previously, header-based auth was not possible to use in the DB Console because the login endpoint we use returns the session in a Cookie. Moving this cookie into a header would require us to read into a less-secure storage method (local storage, redux, etc.) instead of keeping it secure in the browser's cookie storage. We implement a suggestion to rely on Cookie auth by requiring the presence of the auth header with a magic value of `"cookie"` that tells the server to look for the session in the session cookie. This forces the caller to modify the request via JS, which protects us from CSRF since cross-origin requests can only be "simple". See the issue for further discussion. Resolves #84311 Release note (security update): The HTTP endpoints under the `/api/v2` prefix will now accept cookie-based authentication similar to other HTTP endpoints used by the DB Console. The encoded session *must* be in a cookie named `"session"`, and the `"X-Cockroach-API-Session"` header is required to be set to `"cookie"` for the session to be read from the cookie header. A cookie provided without the custom header present will be ignored.
- Loading branch information
1 parent
033c911
commit 6d36dfc
Showing
5 changed files
with
142 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters