-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api: support cookie-based auth for read-only queries for sql-over-http #84311
Comments
Based on our convo today I think a good next step would be to define a cookie-only read-only alternative to the current endpoint. This could also leverage follower reads for better performance. We can then discuss other options after the initial prototype is out. @bdarnell @kpatron-cockroachlabs - an extra 👀 from you would be welcome on this. |
IIRC browsers provide per-domain isolation of |
Ah, @xinhaoz just linked me to https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage , so that makes sense. |
I'm personally a fan of continuing with HttpOnly cookies so that even if there is an XSS vulnerability the attacker can't exfiltrate the credential, which makes attacks harder. If for some reason that is not feasible I'd personally prefer non-HttpOnly cookies to LocalStorage as I believe LocalStorage doesn't allow expiring values nor the equivalent "session" cookie functionality. I think preventing CSRF attacks would require less effort than seems to be implied on this issue and the Slack thread. Some ways to solve the problem:
Some notes:
|
In order to make use of HTTP endpoints under `/api/v2` in the DB Console it is necessary to support cookie-based authentication for ergonomic Javascript use. Previously, header-based auth was not possible to use in the DB Console because the login endpoint we use returns the session in a Cookie. Moving this cookie into a header would require us to read into a less-secure storage method (local storage, redux, etc.) instead of keeping it secure in the browser's cookie storage. We implement a suggestion to rely on Cookie auth by requiring the presence of the auth header but ignoring its value. This forces the caller to modify the request via JS, which protects us from CSRF since cross-origin requests can only be "simple". See the issue for further discussion. Resolves cockroachdb#84311 Release note: None
In order to make use of HTTP endpoints under `/api/v2` in the DB Console it is necessary to support cookie-based authentication for ergonomic Javascript use. Previously, header-based auth was not possible to use in the DB Console because the login endpoint we use returns the session in a Cookie. Moving this cookie into a header would require us to read into a less-secure storage method (local storage, redux, etc.) instead of keeping it secure in the browser's cookie storage. We implement a suggestion to rely on Cookie auth by requiring the presence of the auth header with a magic value of `"cookie"` that tells the server to look for the session in the session cookie. This forces the caller to modify the request via JS, which protects us from CSRF since cross-origin requests can only be "simple". See the issue for further discussion. Resolves cockroachdb#84311 Release note (security update): The HTTP endpoints under the `/api/v2` prefix will now accept cookie-based authentication similar to other HTTP endpoints used by the DB Console. The encoded session *must* be in a cookie named `"session"`, and the `"X-Cockroach-API-Session"` header is required to be set to `"cookie"` for the session to be read from the cookie header. A cookie provided without the custom header present will be ignored.
83120: server: include system and meta ranges in hot ranges report r=koorosh a=koorosh `status.HotRangesV2` endpoint iterates over ranges that have the highest QPS, and it might include meta- or system ranges that don't have table descriptors. Before, it didn't include such ranges that didn't provide users full information on what ranges are hot even if it's a system range. The current patch includes system and meta ranges in the Hot Ranges list with limited information (that doesn't include table-specific data). Release note: None Resolves #83117 84617: apiv2: accept cookie auth when header is non-empty r=knz,kpatron-cockroachlabs,xinhaoz a=dhartunian In order to make use of HTTP endpoints under `/api/v2` in the DB Console it is necessary to support cookie-based authentication for ergonomic Javascript use. Previously, header-based auth was not possible to use in the DB Console because the login endpoint we use returns the session in a Cookie. Moving this cookie into a header would require us to read into a less-secure storage method (local storage, redux, etc.) instead of keeping it secure in the browser's cookie storage. We implement a suggestion to rely on Cookie auth by requiring the presence of the auth header with a magic value of `"cookie"` that tells the server to look for the session in the session cookie. This forces the caller to modify the request via JS, which protects us from CSRF since cross-origin requests can only be "simple". See the issue for further discussion. Resolves #84311 Release note (security update): The HTTP endpoints under the `/api/v2` prefix will now accept cookie-based authentication similar to other HTTP endpoints used by the DB Console. The encoded session *must* be in a cookie named `"session"`, and the `"X-Cockroach-API-Session"` header is required to be set to `"cookie"` for the session to be read from the cookie header. A cookie provided without the custom header present will be ignored. 85421: explain: print "FULL SCAN (SOFT LIMIT)" for full scans with soft limits r=rytaft,mgartner a=michae2 Change `EXPLAIN` output of full scans with soft limits to "FULL SCAN (SOFT LIMIT)" instead of "FULL SCAN". This will help distinguish them from unlimited full scans. So now we print three different messages for three kinds of full scans: - For full scans with hard limits we print "LIMITED SCAN". - For full scans with soft limits we print "FULL SCAN (SOFT LIMIT)". - For unlimited full scans we print "FULL SCAN". Release note (sql change): Change `EXPLAIN` output of full scans with soft limits to "FULL SCAN (SOFT LIMIT)" instead of "FULL SCAN", to distinguish them from unlimited full scans. Unlimited full scans always scan the entire index. Full scans with soft limits could scan the entire index, but usually halt early once enough rows have been found to satisfy their parent operator. 85486: roachtest: re-enable costfuzz test r=msirek,rytaft a=michae2 We've fixed a number of issues found by costfuzz's sibling test unoptimized-query-oracle, so it feels like the right time to cry 'Havoc!', and let slip the dogs of war. Fixes: #81717 Release note: None Co-authored-by: Andrii Vorobiov <[email protected]> Co-authored-by: David Hartunian <[email protected]> Co-authored-by: Michael Erickson <[email protected]>
In order to make use of HTTP endpoints under `/api/v2` in the DB Console it is necessary to support cookie-based authentication for ergonomic Javascript use. Previously, header-based auth was not possible to use in the DB Console because the login endpoint we use returns the session in a Cookie. Moving this cookie into a header would require us to read into a less-secure storage method (local storage, redux, etc.) instead of keeping it secure in the browser's cookie storage. We implement a suggestion to rely on Cookie auth by requiring the presence of the auth header with a magic value of `"cookie"` that tells the server to look for the session in the session cookie. This forces the caller to modify the request via JS, which protects us from CSRF since cross-origin requests can only be "simple". See the issue for further discussion. Resolves cockroachdb#84311 Release note (security update): The HTTP endpoints under the `/api/v2` prefix will now accept cookie-based authentication similar to other HTTP endpoints used by the DB Console. The encoded session *must* be in a cookie named `"session"`, and the `"X-Cockroach-API-Session"` header is required to be set to `"cookie"` for the session to be read from the cookie header. A cookie provided without the custom header present will be ignored.
Is your feature request related to a problem? Please describe.
Currently, the JS code in DB Console uses cookie-based auth for all requests to CRDB. This works smoothly because the browser handles all the cookie storage and security and the cookie stored with the
httponly
tag that prevents any JS access.This model presents some struggles with attempting to use endpoints under the newer
/api/v2
prefix since these endpoints weren't built with a UI as a primary consumer. They implement header-based authentication, and do not accept cookies.Attempting to use the header-based auth in DB console in order to use the recently merged SQL-over-HTTP endpoint (#79663) has presented some challenges because we need to add the session auth header but have no programmatic access to it since the browser hides it from us in the list of cookies.
Describe the solution you'd like
Ideally, the
/api/v2
should accept cookie-based authentication just like the rest of the endpoints we currently rely on since this is how UIs like the DB Console expect to authenticate with backends and it lets us rely on browser-based security models instead of storing our own auth header...somewhere else.One proposal from @knz is to allow cookie-based auth for read-only queries only instead of the current read/write ability in the new endpoint. Observability needs are almost entirely read-only and we can find other solutions or custom gRPC endpoints for write endpoints if we have to. This can mitigate the blast radius of security CSRF attacks while allowing for smoother DB Console development.
Describe alternatives you've considered
/api/v2
endpoint separately and store the session in redux (does not persist between browser sessions) or local storage (persists between browser sessions but is insecure)/api/v2
auth code could be modified to accept cookie-based auth. (reduces security for all API endpoints)/api/v2
auth code could accept cookie-based auth but only with a CSRF token which would be retrieved in a separate call (this adds complexity to the UI code).Slack thread
Jira issue: CRDB-17583
The text was updated successfully, but these errors were encountered: