search

nsacyber / WALKOFF

A flexible, easy to use, automation framework allowing users to integrate their capabilities and devices to cut through the repetitive, tedious tasks slowing them down. #nsacyber
https://nsacyber.github.io/WALKOFF/
Other
1.2k stars 222 forks source link

flask jwt extended in query string #193

Closed vimalloc closed 5 years ago

vimalloc commented 6 years ago

It looks like you guys are using JWTs in the query string (https://github.com/iadgov/WALKOFF/blob/master/walkoff/security.py#L93-L120). A new version of flask-jwt-extended released today that now has built in support for this (http://flask-jwt-extended.readthedocs.io/en/latest/tokens_in_query_string.html). If there is any desire, you could probably remove the custom stuff and switch back over to this, to insure there aren't any breaking changes if the internals of that extension changes. I would be happy to throw a PR together this if that sounds good :+1:

JustinTervala commented 6 years ago

I had no idea that feature was available. I agree that we shouldn't have a custom implementation if it's available in one of our existing dependencies, so I look forward to seeing that PR

coreyjrobins commented 5 years ago

Note: The reason the JWTs are in the query string for certain endpoints is because of SSEs. Currently, the js uses EventSource objects, which do not accept headers and therefore we must leave the JWT in the query string. We are looking at various workarounds so that JWTs are not passed in via query strings anywhere in the WALKOFF code. However, for the majority of WALKOFF endpoints, JWTs are passed in the header.