Public vs Private/Admin API
Hi all, I've been thinking a little about API security. When I look at http://localhost:8081/api/v1/.html, I see every API route we define in Koha. Do we really want all of these APIs to be accessible to any API consumer? In many cases, I imagine we only want Staff Interface users (or approved third-party tools) using a lot of these API routes. At the moment, if someone cracks the password of an admin user on the OPAC, they'd then be able to access admin APIs via the OPAC site. That seems suboptimal to me. In theory, breaching the OPAC should have a small blast radius that only affects one user. In practice, if someone breaches the OPAC with an admin user, the blast radius can still be large. Based on https://www.keycloak.org/docs/latest/server_admin/index.html#admin-endpoints -and-console, it could be good to have separate admin API and public API interfaces, which can then be configured and protected differently. I suppose a person could IP restrict the API at the moment and just allow public access to /api/v1/public/ routes. I suppose I just wonder about having more restrictive defaults, although in the Keycloak case the defaults are permissive. Anyway, just sharing my thoughts on this one. David Cook Software Engineer Prosentient Systems 72/330 Wattle St Ultimo, NSW 2007 Australia Office: 02 9212 0899 Online: 02 8005 0595
participants (1)
-
dcook@prosentient.com.au