egovernments / DIVOC

Open source digital platform for large scale vaccination and digital credentialing programs. Built for India scale, addresses future vaccination scenarios, digital credentialing, and beyond.

MIT License

161 stars 204 forks source link

Security Flaw #859

Open supersaiyane opened 2 years ago

supersaiyane commented 2 years ago

Open Config for Flagr

Flagr URL is accessible without authentication
Without Authentication global application configs can be changed/deleted.

To Reproduce

Go to domain/config

Expected behavior All the exposed service should be password protected like Keycloak

Screenshots divoc-demo-flagr

dileepbapat commented 2 years ago

@supersaiyane for demo instance / docker-compose file auth config (jwt) is not set as of now, can be configured at https://github.com/egovernments/DIVOC/blob/main/docker-compose-release.yml#L70 configuration documentation : https://checkr.github.io/flagr/#/flagr_env

Usually this may use dedicated role or even different auth provider based on implementation need.