Development:External services security
Descriptions of security framework for web services, also used for RSS feeds, embedded application and similar parts that can not use normal HTTP cookies.
Overview
Current solutions
- user keys for gradebook import and export - see require_user_key_login() and db table user_private_key
- open RSS feeds - no security at all
- chat_sid tokens - generated separately for each user in each chat
- calendar hash from user name, password and salt
- hacky cookie emulation in visual gradebook plugin
Types of token
We need several types of tokens
- token sharing/linked to active session, should time out or be destroyed at the same time as session (ex.: chat) - shared $SESSION and $USER
- permanent token, revokeable by user (ex.: RSS feeds, web services) - emulated $SESSION and $USER
In the second case we need to deal with performance problems if many repeated request expected. This can be dealt with later.
API layers
Three layers:
- external server interface (SOAL, REST, RSS, etc.) - deals with tokens, emulates user session, parameter processing
- public PHP API - functions usable directly from PHP, list generated from inline PHP docs, need to verify all parameters and access control, may access $USER, should not manipulate $SESSION directly, must not read $_POST or $_GET
- low level internal API - as fast as possible, basic param validation, no access control, must not touch $USER, $SESSION, $_GET or $_POST, must not use has_capability() or require_login()!
Implementation
Updated user_private_key table
Stores active tokens for cookieless access.
Field | Type | Default | Description |
---|---|---|---|
id | int(10) | auto-incrementing | |
type | int(10) | 0 | 0 means original permanent key, 1 means key linked to current session |
value | varchar(128) | private access key value | |
sid | varchar(128) | null | optional session identifier when key linked to active session |
service | varchar(150) | name of service (ex. mod/forum/rss) | |
userid | int(10) | foreign key, references user.id | |
contextid | int(10) | null | security restriction, key usable only in this context, references context.id |
iprestriction | varchar(255) | null | IP address restriction, list of allowed addresses |
validuntil | int(10) | null | timestampt - valid until date |
timecreated | int(10) | time when key created |
Alternative solution would be to have two separate tables each for different key type.
New public_functions table
List of public functions. Created automatically by parsing external files.
New public_services table
Service is defined as a group of functions.
New capabilities
New capability for each public service above.
New auth plugins
Used for system user accounts the web services are running under. Intended for services that need to supply username/password. Alternative solution is to generate normal user token and use it instead of login/password authentication.