[Koha-devel] Public vs Private/Admin API
dcook at prosentient.com.au
dcook at prosentient.com.au
Tue Aug 11 01:50:24 CEST 2020
Hi all,
I've been thinking a little about API security. When I look at
http://localhost:8081/api/v1/.html, I see every API route we define in Koha.
Do we really want all of these APIs to be accessible to any API consumer?
In many cases, I imagine we only want Staff Interface users (or approved
third-party tools) using a lot of these API routes.
At the moment, if someone cracks the password of an admin user on the OPAC,
they'd then be able to access admin APIs via the OPAC site. That seems
suboptimal to me. In theory, breaching the OPAC should have a small blast
radius that only affects one user. In practice, if someone breaches the OPAC
with an admin user, the blast radius can still be large.
Based on
https://www.keycloak.org/docs/latest/server_admin/index.html#admin-endpoints
-and-console, it could be good to have separate admin API and public API
interfaces, which can then be configured and protected differently.
I suppose a person could IP restrict the API at the moment and just allow
public access to /api/v1/public/ routes. I suppose I just wonder about
having more restrictive defaults, although in the Keycloak case the defaults
are permissive.
Anyway, just sharing my thoughts on this one.
David Cook
Software Engineer
Prosentient Systems
72/330 Wattle St
Ultimo, NSW 2007
Australia
Office: 02 9212 0899
Online: 02 8005 0595
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20200811/808279a6/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: not available
URL: <http://lists.koha-community.org/pipermail/koha-devel/attachments/20200811/808279a6/attachment-0001.sig>
More information about the Koha-devel
mailing list