[Admin] Audit Feedback

[karntrehan]

Todo:

• [H] Rate limit - Implement on Hasura and handle error on FE. - @amit-s19 @choxx #
• [H] Password encryption - User service already has this out of the box. We need to implement the same on admin. @amit-s19 @choxx #
• [M] Fix CORS Issue - @amit-s19 @choxx #
• [L] Remove server version - @choxx #
• [L] Account Lockout - Lock account / rate limit invalid login attempts. - @amit-s19 @choxx #
• [M] Improper Authorization - Sending entire token would need to fix this. @amit-s19

To Evaluate:

• [H] HTTP Method - Options, Put, Patch, Delete would need to be removed? - @amit-s19 @choxx #
• [M] Etag exposure by FA - @choxx #
• [L] Http Security Headers - Consider adding security headers. - @choxx #

Not needed:

• Session Timeout - This is not a valid usecase for us.
• Forgot Password - This is not a valid usecase for us.
• CAPTCHA - This is not a valid usecase for us.

[choxx]

Password encryption

User service side validated & fixed for the issue encountered. Login credentials encryption is functional at backend. Sharing a sample curl below:

curl --location 'http://us-edb.samagra.io/api/login' \
--header 'Content-Type: application/json' \
--data '{
    "password": "g+06DCedaooXzkCLOIK0yg==",
    "loginId": "iCSUhyilHLbZxCyWrhUR+w==",
    "applicationId": "77638847-db34-4331-b369-5768fdfededd"
}'

Encryption technique in Javascript can be referenced here: https://github.com/Samagra-Development/fa-proxy/blob/master/static/secure.js#L90

Note: Currently, we are using legacy APIs in Admin Console. Going forward, we must use the above-mentioned Generic login API.

[choxx]

Remove etag exposure from headers

It can be handled in 2 ways:

1. Code side remove headers.
2. Set Webserver (e.g. Nginx) to stop sending Etag headers; etag off;

Fixed. Will be deployed in next release.

[karntrehan]

Password encryption done on Admin panel. Rate limit not available in free version of Hasura. To be explored.
Salt being saved in bundle. Visible to attackers. To explore relay API to do this.

[amit-s19]

Tested APIs properly, every api call without auth token throws error of "Missing Authorization header" as well as auth levels are also handled correctly. Improper Authorization maybe irrelevant.

[amit-s19]

After evaluating Admin Console, it is found that GET,POST methods are sufficient for the entirety of the platform and other methods like OPTIONS,PUT,DELETE can be disabled/

[choxx]

Rate limit - Implement on Hasura and handle error on FE

Rate limiting has been added to Nginx (not hasura) as Hasura self hosted version do not have this feature.
Current rate limit is 1000 req/minute for a unique IP.

Post the limit reach, nginx will respond with 429 (Too many requests) http response code.

limit_req_zone $binary_remote_addr zone=mylimit:1000m rate=1000r/m;
limit_req_status 429;
limit_conn_status 429;
server_tokens off;

server {
	# Add index.php to the list if you are using PHP
    	server_name hpsamarth-hasura.in; # managed by Certbot


	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		# try_files $uri $uri/ =404;
		limit_req zone=mylimit burst=50 nodelay;
		proxy_pass http://10.139.4.67:8080;
	}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/hpsamarth-hasura.in/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/hpsamarth-hasura.in/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

[choxx]

Remove server version

Fixed. Need to add the below line in nginx conf files:
server_tokens off;

[choxx]

Account Lockout - Lock account / rate limit invalid login attempts

Account lockout functionality has been added via Fusion Auth User Actions feature. User service has been accommodated for the changes to support the specific error.

Here is the sample response:

{
    "responseCode": "FAILURE",
    "params": {
        "responseMsgId": "e09e2d3f-97ce-4654-9d15-40fe0fdddf27",
        "msgId": "4f36c74a-e80a-41d0-84fa-b90b6570d6e6",
        "err": "ACCOUNT_LOCKED",
        "status": "Failure",
        "errMsg": "Multiple failed login attempts. Please retry again later."
    },
    "ts": "2023-07-25T13:11:13.291Z",
    "id": "9d6bce22-84a3-411b-9304-53c37376bdeb",
    "result": null
}

Current settings:

i.e. on every 10 failed login attempts within 60 seconds will cause the user's account locking for 3 minutes.

[choxx]

CORS

Added support for CORs configurable via environment variables.

CORS_ALLOWED_ORIGINS=https://example.com
CORS_ALLOWED_HEADERS=Content-Type,Authorization,x-application-id
CORS_ALLOWED_METHODS=GET,PUT,POST,DELETE,PATCH,OPTIONS

We can remove DELETE & OPTIONS method via CORS but not PUT & POST to maintain backward compatibility.

https://github.com/Samagra-Development/user-service/blob/master/src/main.ts#L24

[choxx]

Http Security Headers

• User service: Security headers have been added using a node package named helmet with default settings. https://github.com/Samagra-Development/user-service/blob/master/src/main.ts#L21
• Esamwad backend

Caution: adding CORS & these security headers may have a negative impact on the functioning of various Web Apps (not applicable on Android apps).

[choxx]

HTTP Method

GET, PUT, POST, PATCH - these headers have been allowed now. We cannot get rid of PUT & PATCH methods to maintain backward compatibility.
https://github.com/Samagra-Development/user-service/blob/master/src/main.ts#L27

[aakashyadav-kgp]

Changes done. To be deployed today for testing.

[karntrehan]

@aakashyadav-kgp to test the flow.