search

globe-and-citizen / layer8

This repo contains the Layer8 Resource/Authentication Server, Proxy, and Service Provider Mocks
GNU General Public License v2.0
1 stars 2 forks source link

INTERNALS/MAIN.GO: line 107: is writing the path in the proxy URL like this a privacy breech? #65

Open stravid87 opened 8 months ago

stravid87 commented 8 months ago

Description

Line 107 of the interceptor: is writing the path in the proxy URL like this a privacy breech? r, err := http.NewRequest("POST", c.proxyURL+parsedURL.Path, bytes.NewBuffer(data)) This parsedURL.Path should really only be accessible to the S.P. This information is carried to line 160 of server/tunnel.go

Requirements:

### Tasks
- [ ] Isolate the path & query params in the Interceptor
- [ ] Encrypt the path & query params so that they are included as part of the request body. 
- [ ] Transmit this encrypted body through the proxy
- [ ] During decryption of the request in the middleware, parse the path and query params.
- [ ] Add back the path and query params to the node request object mimicking how it is done by express.js

Acceptance Criteria

When a frontend user creates a get, post, or other request type, this information should be fully hidden from the proxy and transmitted as part of the encrypted body only. The Service Provider should be able to access this information within the node.js backend by invoking the properties:

app.post[get]("/", (req, res) => {
  console.log(req.query); // an object containing a property for each query string parameter in the route
  console.log(req.path); // Contains the path part of the request URL.
});

Reference: https://expressjs.com/en/api.html#req.path https://expressjs.com/en/api.html#req.path

stravid87 commented 6 months ago

Currently this is now:

    backendURL := fmt.Sprintf(os.Getenv("VITE_BACKEND")+"%s", r.URL)
    // backendURL := fmt.Sprintf("https://%s%s", r.Header.Get("X-Forwarded-Host"), r.URL)

in server/handlers/tunnel.go

The path needs to be encrypted.

stravid87 commented 3 months ago

Note, Marc has requested to have access to params. To solve this issue can be a challenge but should very much be possible. The URL path and query params should be scrapped from the URL by the interceptor as well as the query params. These should then be encrypted and transited through the proxy for decryption and attachment in the middleware such that the service provider receives them like normal and the proxy is ignorant to them.

stravid87 commented 2 months ago

Nice work. Done & done.

stravid87 commented 2 months ago

July 8 - 15

stravid87 commented 1 month ago

July 16 - 22

stravid87 commented 1 month ago

July 29

stravid87 commented 1 month ago

Aug 5, 2024

Can we make the "/media" call on Line 644 in 'interceptro.go' dynamic? Line 55 of server.go should be configurable to any string and still work if configured correctly in the frontend.