search

DOMjudge / domjudge

DOMjudge programming contest jury system
https://www.domjudge.org
GNU General Public License v2.0
701 stars 249 forks source link

Throw an error on invalid credentials #2479

Open meisterT opened 2 months ago

meisterT commented 2 months ago

When downloading data via the API, we determine the data to expose based on the user role.

Currently, if you pass incorrect credentials, we just fall back to public data. It would be better to fail hard to clearly indicate that credentials should be corrected.

vmcj commented 2 months ago

When downloading data via the API, we determine the data to expose based on the user role.

Currently, if you pass incorrect credentials, we just fall back to public data. It would be better to fail hard to clearly indicate that credentials should be corrected.

I'm not sure if I agree, in this specific case we could have tested against the /account endpoint and see if we had the needed access. It feels like a security flaw to acknowledge when people have the wrong credentials as depending on implementation this would open up for an user enumeration attack.

eldering commented 2 months ago

There is no enumeration attack: if you provide invalid an user/password combination then we can return a 401 error code. That only means that that user/password combination is invalid, not that the user exists.

I think I agree that returning a 401 is better than just falling back to public data.

nickygerritsen commented 1 month ago

When do you get this? If I use HTTPie to get an API endpoint with an invalid user, I get a HTTP/1.1 401 Unauthorized.

vmcj commented 1 month ago

When do you get this? If I use HTTPie to get an API endpoint with an invalid user, I get a HTTP/1.1 401 Unauthorized.

I think the case was for a situation where you don't authenticate at all and receive public data. @tuupke encountered this with Ansible for EUC IIRC.

nickygerritsen commented 1 month ago

But there is nothing we can do there, is there? You are allowed to get public data…

meisterT commented 1 month ago

@tuupke do you remember on which endpoint this happened?

tuupke commented 2 days ago

No not really unfortunately. It happened during EOC in Luxor, (PC^2 put it in the PM) but I cannot recall which endpoint it was. Since it was one of the endpoints that require verification it narrows it down. (scoreboard.json, awards.json, results.tsv)

I have a hunch it was results.tsv but since @edomora97 was running EOC he might remember. Alternatively we could ask PC^2 whether they remember.