search

tonyzimbinski / infinite-campus

📚 unofficial API for Infinite Campus written in Node JS
GNU General Public License v3.0
29 stars 11 forks source link

Insecure login method #17

Closed arachno7 closed 2 years ago

arachno7 commented 2 years ago

Nice little lib. However, it's not best practice to transmit secure login credentials over http GET in the URL. Your username/password is exposed to anything listening to or logging URL traffic. Looks like a drop-in replacement to use the POST version of the same URL.

Example:

// _login() function around line 237
    request.post(this.district.district_baseurl + 'verify.jsp?nonBrowser=true',
      {
        form: {
          username,
          password,
          portalUrl: this.district.parent_login_url,
          appName: this.district.district_app_name,
        }
      },
      (err, res, body) => {
        try {
          errHandler.login.handle(err, res, body)
        } catch (err) {
          return this.emit('error', err)
        }
        resolve()
      });

Cheers

qwazwsx commented 2 years ago

Hm, It's my understanding that when using HTTPS only the domain name is presented in clear text, while the path and query parameters are encrypted.

As per https://https.cio.gov/faq/ "The URL path and query string parameters are encrypted, as are POST bodies."

Please correct me if I am wrong.

qwazwsx commented 2 years ago

I've analyzed the network traffic using Wireshark to confirm this. The only information visible when using HTTPS is the domain name, which is to be expected and is unavoidable.

If you want to discuss this more, (or if I am completely off-base) feel free to reopen the issue.

Thank you for the issue, I really appreciate people looking into the code to try and improve it! :-)