Closed binchoo closed 1 year ago
Change Impact
Spring Security configuration
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Value("${auth.apikey}")
private String expectedApiKey;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.antMatcher("/ikakao/**")
.authorizeRequests().anyRequest().permitAll()
.and()
.addFilterBefore(new ApiKeyValidationFilter(expectedApiKey), BasicAuthenticationFilter.class)
.csrf().disable();
}
}
API Key validation filter
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
var httpRequest = (HttpServletRequest) request;
var httpResponse = (HttpServletResponse) response;
String actualApiKey = httpRequest.getHeader(HEADER_X_API_KEY);
if (expectedApiKey.equals(actualApiKey)) {
chain.doFilter(request, response);
} else {
httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
String clientIp = httpRequest.getHeader(HEADER_X_FORWARDED_FOR);
logger.warn("[Security] Unauthorized api-key: {} from {}", actualApiKey, clientIp);
}
}
As-is: No API keys are required for calling the
paimonganyu-skill
endpoints. If an attacker who uses a fake KakaoTalk chatbot sends a request to our endpoints via the ikakao skill connectors, he may find a botUserId matching one in the PaimonGanyu system with a very low probability.To-be: Although the probability is significantly low, I do not want to have this vulnerability affect my system. So I'll implement an API key validation using Spring Security filter chain.