domjudge icon indicating copy to clipboard operation
domjudge copied to clipboard

Published 20 hours ago verified publisher icon DOMjudge

Throw an error on invalid credentials

Open meisterT opened this issue 10 months ago • 7 comments

When downloading data via the API, we determine the data to expose based on the user role.

Currently, if you pass incorrect credentials, we just fall back to public data. It would be better to fail hard to clearly indicate that credentials should be corrected.

meisterT avatar Apr 18 '24 19:04 meisterT

When downloading data via the API, we determine the data to expose based on the user role.

Currently, if you pass incorrect credentials, we just fall back to public data. It would be better to fail hard to clearly indicate that credentials should be corrected.

I'm not sure if I agree, in this specific case we could have tested against the /account endpoint and see if we had the needed access. It feels like a security flaw to acknowledge when people have the wrong credentials as depending on implementation this would open up for an user enumeration attack.

vmcj avatar Apr 21 '24 19:04 vmcj

There is no enumeration attack: if you provide invalid an user/password combination then we can return a 401 error code. That only means that that user/password combination is invalid, not that the user exists.

I think I agree that returning a 401 is better than just falling back to public data.

eldering avatar Apr 24 '24 21:04 eldering

When do you get this? If I use HTTPie to get an API endpoint with an invalid user, I get a HTTP/1.1 401 Unauthorized.

nickygerritsen avatar May 21 '24 00:05 nickygerritsen

When do you get this? If I use HTTPie to get an API endpoint with an invalid user, I get a HTTP/1.1 401 Unauthorized.

I think the case was for a situation where you don't authenticate at all and receive public data. @tuupke encountered this with Ansible for EUC IIRC.

vmcj avatar May 21 '24 04:05 vmcj

But there is nothing we can do there, is there? You are allowed to get public data…

nickygerritsen avatar May 21 '24 10:05 nickygerritsen

@tuupke do you remember on which endpoint this happened?

meisterT avatar May 25 '24 13:05 meisterT

No not really unfortunately. It happened during EOC in Luxor, (PC^2 put it in the PM) but I cannot recall which endpoint it was. Since it was one of the endpoints that require verification it narrows it down. (scoreboard.json, awards.json, results.tsv)

I have a hunch it was results.tsv but since @edomora97 was running EOC he might remember. Alternatively we could ask PC^2 whether they remember.

tuupke avatar Jul 03 '24 19:07 tuupke