Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Check mobile endpoints access across the board. #30761

Closed
wants to merge 6 commits into from
Closed

[WIP] Check mobile endpoints access across the board. #30761

wants to merge 6 commits into from

Conversation

esoergel
Copy link
Contributor

@esoergel esoergel commented Nov 22, 2021
edited
Loading

Product Description

Technical Summary

Restrict access to all mobile endpoints when "restrict mobile endpoints" feature flag is enabled. I've done some testing on staging, and this seems to behave as expected, with one tangential caveat.

Note that this does also disable non-sensitive mobile operations like device log submissions, heartbeat, and so forth, though I think that's fine, as the idea is that nobody should be using mobile without permissions.

I think the only blocker on merge here is that we likely have APIs submitting to the mobile submission endpoint. We'll need to move them over to the new API submission endpoint before we can close that up.

Feature Flag

USH: Require explicit permissions to access mobile app endpoints

Safety Assurance

Safety story

Automated test coverage

QA Plan

I tested this on staging and found the expected behavior:

restore case search form submission
Web Apps (setting disabled) ✔️ ✔️ ✔️
Mobile (setting disabled) ✔️ ✔️ ✔️
Web Apps (setting enabled) ✔️ ✔️ ✔️
Mobile (setting enabled)
Mobile (setting enabled, with permission) ✔️ ✔️ ✔️

Rollback instructions

  • This PR can be reverted after deploy with no further considerations

Labels & Review

  • Risk label is set correctly
  • The set of people pinged as reviewers is appropriate for the level of risk of the change

@esoergel
sort and clean imports
959c068
@esoergel
Move mobile auth decorators to ota app
0a2e07e
@esoergel
Check mobile access permission for all endpoints
88ecc74 
except form submission, as that handles things very differently
@esoergel
Protect form submission endpoints
906370e 
I'm not totally certain of the _noauth_post endpoint, but from looking
at it, it's probably best to default to locking it down
@esoergel esoergel added Open for review: do not merge A work in progress product/feature-flag Change will only affect users who have a specific feature flag enabled labels Nov 22, 2021
@esoergel esoergel requested a review from snopoke November 22, 2021 15:01
@dimagimon dimagimon added the Risk: High Change affects files that have been flagged as high risk. label Nov 22, 2021
snopoke
snopoke approved these changes Nov 23, 2021
View reviewed changes
corehq/apps/ota/views.py Outdated
@@ -79,7 +79,6 @@
@location_safe
@handle_401_response
@mobile_auth_or_formplayer
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not really related but why does the restore endpoint need mobile_auth_or_formplayer? Is it because SMS forms don't have user auth?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yep, I believe that's the case.

commcare-hq/corehq/apps/domain/decorators.py

Lines 361 to 364 in d5b9a30

- formplayer auth: for SMS forms there is no active user involved in the session and so
formplayer can not use the session cookie to auth. To allow formplayer access to the
endpoints we validate each formplayer request using a shared key. See the auth
function for more details.

The restore endpoint is the only place that mechanism is used.

@snopoke
Copy link
Contributor

snopoke commented Nov 24, 2021

deployed to staging yesterday

@esoergel esoergel mentioned this pull request Dec 3, 2021
Merged
3 tasks
@dimagimon dimagimon removed the Risk: High Change affects files that have been flagged as high risk. label Dec 6, 2021
@esoergel
Copy link
Contributor Author

This PR has (finally) been superseded:
#35435

@esoergel esoergel closed this Jan 23, 2025
@esoergel esoergel deleted the es/mobile-auth branch January 23, 2025 20:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snopoke snopoke snopoke approved these changes

Assignees
No one assigned
Labels
Open for review: do not merge A work in progress product/feature-flag Change will only affect users who have a specific feature flag enabled
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@esoergel @snopoke @dimagimon