dblock
commented
7 years ago This highlights the need for a shared middleware across Artsy for these! cc: @orta
I think the Gravity API is OK, it hands a token for a given app that can then be used to identify the user from gravity. That's authentication. Authorization is definitely the burden of this app and it should reject users it doesn't want.
I did raise this in #security on Slack btw. And please note that bearden is public, so this discussion is public as well.
joeyAghion
jonallured
cavvia
It turns out gravity has an Auth API endpoint that deals out JWT tokens to untrusted apps (like force) with a short expiry. This can theoretically be used to produce valid JWT tokens for Bearden knowing only the Bearden application ID, which is a security problem.
While the Gravity API endpoint looks like a security hole, it can be useful for some apps who wish to allow access to a set of users from an untrusted app (like Impulse, which wants to allow some Force users access to their conversations inbox data, as Force is an untrusted app in this scheme).
We've decided it's up to the destination app to validate app roles in its auth if it wishes to restrict access to trusted apps. This is the case with Bearden, so I've added the additional checks in our auth method to ensure that the app which requested the token is trusted. We use 'roles' embedded in the JWT to determine whether an app is trusted (see gravity code).
cc @joeyAghion @mzikherman