SPCP is in the process of hardening the authentication flow by validating that the argument Target only contains whitelisted domains.
With Form however, we do not supply Target as a fully qualified URL. Instead, we supply a custom-formatted path-ike string as follows:
/<FORM_ID>,<REMEMBER_ME>
Where FORM_ID is alphanumerical, and REMEMBER_ME is a string enum of values true or false.
Not using a fully qualified URL is a security feature. It ensures we never do a blind redirect when the call comes back, instead we will always validate the form ID and reconstruct a valid URL. No arbitrary URL injection is possible.
The risk here however is that SPCP could be failing domain whitelisting validation (since we do not supply a domain), and causing our integration to break. SPCP has noticed our custom format however and is in the process of ensuring our integration still works even after their hardening.
TODO
When SPCP informs us, test on staging that integration still works
Gather information from SPCP of exactly what whitelisting rules they have added, and whether this limits our ability to update Target in the future.
Document the restriction, and add comment in code, such that anyone wishing to add new information to the Target is aware they may require a change request on SPCP side as well
This is a deferred P1 ticket: It is not urgent now, but it needs to be picked up right away as soon as SPCP informs us their hardening is done.
Context
SPCP is in the process of hardening the authentication flow by validating that the argument
Target
only contains whitelisted domains.With Form however, we do not supply
Target
as a fully qualified URL. Instead, we supply a custom-formatted path-ike string as follows:Where
FORM_ID
is alphanumerical, andREMEMBER_ME
is a string enum of valuestrue
orfalse
.Not using a fully qualified URL is a security feature. It ensures we never do a blind redirect when the call comes back, instead we will always validate the form ID and reconstruct a valid URL. No arbitrary URL injection is possible.
The risk here however is that SPCP could be failing domain whitelisting validation (since we do not supply a domain), and causing our integration to break. SPCP has noticed our custom format however and is in the process of ensuring our integration still works even after their hardening.
TODO
Target
in the future.Target
is aware they may require a change request on SPCP side as wellThis is a
deferred P1
ticket: It is not urgent now, but it needs to be picked up right away as soon as SPCP informs us their hardening is done.