Right now, requests with admin rights can only come from reg-regsys-classic, that is, from the space behind the Apache reverse proxy.
This presents an opportunity to protect against admin requests coming in over the API, until 2FA becomes available:
Requests should only count as "admin" in IdentityManager, if in addition to having a token with the admin group, they also come with Header "X-Admin-Request" = "available". This header will be blocked in the Apache reverse proxy, just like the "X-Api-Token" header already is.
This is the respective implementation in reg-attendee-service.
// checkInternalAdminRequestHeader is a temporary safety measure until we have 2FA for admins.
//
// enforce extra internal request header for admin requests (header blocked for external requests)
//
// TODO: remove this workaround
func checkInternalAdminRequestHeaderForGroup(ctx context.Context, r *http.Request, group string) bool {
if group == config.OidcAdminGroup() {
adminRequestHeaderValue := r.Header.Get("X-Admin-Request")
if adminRequestHeaderValue != "available" {
aulogging.Logger.Ctx(ctx).Warn().Print("X-Admin-Request header was not set correctly!")
return false
}
}
return true
}
Should also be added to payment service, clearly marked as TODO to remove again when 2FA is here.
Right now, requests with admin rights can only come from reg-regsys-classic, that is, from the space behind the Apache reverse proxy.
This presents an opportunity to protect against admin requests coming in over the API, until 2FA becomes available:
Requests should only count as "admin" in IdentityManager, if in addition to having a token with the admin group, they also come with Header "X-Admin-Request" = "available". This header will be blocked in the Apache reverse proxy, just like the "X-Api-Token" header already is.
This is the respective implementation in reg-attendee-service.
Should also be added to payment service, clearly marked as TODO to remove again when 2FA is here.