search

OpenMined / PyDentity

A repository for leveraging Self-Sovereign Identity in applications
65 stars 25 forks source link

Aiohttp_security - securing access to AcaPy assets - SSL/HTTPS #86

Open frogman opened 3 years ago

frogman commented 3 years ago

Question

I was worried about the security in the AcaPy aiohttp instances and asyncio calls with the API endpoints.

Further Information

Maybe I missed it , but following the aiohttp.clientsession calls from the AcaPy endpoints I could not find any builtin security. https://aiohttp-security.readthedocs.io/en/latest/usage.html We could check out the python native aiohttp-security library which uses security policies. There are also alternatives which we can also reach, is using SSL when serving Swagger calls.

Additional Context

We could also consider installing a SSL certificate in the swagger Certificate Manager (not sure if AcaPy allows this admin part of the API to be administered or changed). Or we can use HA load balancers to capture HTTPS traffic and balance it further to AcaPy swagger endpoints. In both approaches we need access to the Swagger Admin Center -- usually at http:///ui

Cheers.

Z

wip-abramson commented 3 years ago

Is this not the API_KEY that can be optionally set? Or is this something extra we need to look into.

frogman commented 3 years ago

Hi @wip-abramson @lohanspies @morrieinmaas What I was thinking, the default API AcaPy traffic (when started out-of-the box) uses clear text over HTTP OpenAPI REST. From the security point of view , if we expose anywhere the REST API outside of the core system , the communication should not go over unencrypted http channel. Even if we use X-API-Key like @wip-abramson said, it is true that without the key we cannot trigger no REST actions, but any kind of inspection browser can then easily read the clear-text http headers and catch the API key. I would see (will also check in my local install or with AcaPy guys) if we can also make additional configs to insert vie Swagger certificate manager (SSL with PEM file) or we can do it the harder way and install a load balancers to proxy all the requests and talk only https before.

lohanspies commented 3 years ago

@frogman we just need to ensure the REST API is exposed over HTTPS by installing a cert as you mentioned.