Secure Subrequests: Authentication & Authorization

G5 Cyber Security

1 week ago

TL;DR

This guide shows how to securely handle authentication and authorization when making subrequests (requests from your application to itself or other services). We’ll cover passing user information, verifying access rights, and protecting against common vulnerabilities.

1. Understanding the Problem

When your application makes a request to another part of itself (a subrequest), it doesn’t automatically inherit the original user’s identity or permissions. You need to explicitly pass this information along and verify it on the receiving end. Failing to do so can lead to security breaches where users gain access to resources they shouldn’t.

2. Passing User Information

Headers: The most common approach is to include user-related data in HTTP headers.

User ID: Pass the unique identifier of the logged-in user.
Roles/Permissions: Include a list or encoded representation of the user’s permissions.
Authentication Token: If using tokens (e.g., JWT), forward the token in an Authorization header.

Example (Python with Requests):

import requests

token = 'your_jwt_token'
user_id = 123

headers = {
    'Authorization': f'Bearer {token}',
    'X-User-ID': str(user_id)
}

response = requests.get('https://your-subrequest-endpoint', headers=headers)

Context Propagation: For more complex applications, consider using context propagation libraries (e.g., OpenTelemetry) to automatically pass tracing and user information across service boundaries.

3. Verifying Access Rights

Authentication Middleware: Implement middleware on the receiving end of the subrequest to authenticate the user based on the passed credentials (e.g., token validation).

Token Validation: Check if the token is valid, not expired, and hasn’t been revoked.
User Lookup: Retrieve user information from your database using the User ID or other identifier.

Authorization Logic: After authentication, determine if the user has permission to access the requested resource or perform the desired action.

Role-Based Access Control (RBAC): Define roles with specific permissions and assign users to those roles.
Attribute-Based Access Control (ABAC): Use attributes of the user, resource, and environment to make access decisions.

Example (Python with Flask):

from flask import request, jsonify

@app.route('/protected')
def protected_resource():
    token = request.headers.get('Authorization')
    user_id = request.headers.get('X-User-ID')

    if not token or not user_id:
        return jsonify({'message': 'Authentication required'}), 401

    # Validate the token and retrieve user information...
    # (This is a simplified example; use a proper library)
    user = get_user(int(user_id))

    if not user or user.role != 'admin':
        return jsonify({'message': 'Authorization failed'}), 403

    return jsonify({'message': 'Access granted'})

4. Security Considerations

Never Trust Client Data: Always validate data received from the client (including headers) before using it.
HTTPS Only: Ensure all communication between your application and subrequests is over HTTPS to prevent eavesdropping and man-in-the-middle attacks.
Input Validation: Sanitize and validate any input passed in the request, even if it’s coming from a trusted source within your own application.
Rate Limiting: Implement rate limiting on subrequests to prevent abuse and denial-of-service attacks.
Logging & Auditing: Log all authentication and authorization events for auditing purposes.

5. Common Mistakes

Skipping Authentication: Assuming that because it’s an internal request, no authentication is needed.
Hardcoding Permissions: Embedding permissions directly in the code instead of using a flexible RBAC or ABAC system.
Insufficient Validation: Failing to properly validate user input and credentials.