0

I'm curious to check what could be some possibly secure and recommended ways through which I could send a password as part of a GET request in rails? Just to be explicit, we're using HTTPS in general.

High level overview of the use case: Our app helps generate a custom list of contacts that we'd like to share with external users who would be directly interested in those contacts for their work purposes. This makes these contacts shareable but since its a unique offering of the product we're trying to build, we intend to make shared list of contacts visible through a combination of shared list link + password.

What steps would an external user normally take to access the shared list:

  1. Enter the shared list link on the browser and this would take them to a web page form where they can enter the password we provided to access the list
  2. They enter the password through the single page application(We're using react if this info is of any use). The URL that they hit on form submit via the browser is mapped internally to the API which calls the index action of a controller that would get the shared list of contacts for the end user

Please note: The user who eventually sees the list of shared contacts doesn't necessarily need to have a user session or in any way be logged in to access the list. They would just need the password to access the list and the list could just be a collated list of contacts extracted in some document like a google sheet that they can download for their further perusal.

My research findings so far: Passing the password as part of the authorisation header might be a viable option based on what's mentioned here and here But I can't fully understand how to deal with the information leakage related issue touched upon as part of what is said below from here

To put it simply, myusername:myPassword@ is clearly designed to convey information that is potentially sensitive, and browsers are generally designed to handle this appropriately, whereas browsers can't guess which part of which queries are sensitive and which are not: expect information leakage there.

Questions on the research findings:

  1. How to overcome the information leakage issue briefly mentioned above?
  2. From an implementation standpoint how to only pass the password as part of a request header in Rails? If one needs to perform authentication using username and password and send them as part of request headers one can use methods like http_basic_authenticate_with to perform the related authentication but since in my case I only need to check if the password is valid based on the value of the password sent as part of the request header, I'm not sure how would I access it as part of my controller and the related index action which would check if the password is valid before deciding whether or not to retrieve the shared list of contacts

Additional question: Would it be helpful or more easier to go about things if the form submit via the browser when a user enters the password is a post request but that is mapped internally to a get request that hits the index action related API. Not sure if this is even actually possible and I'm more of a backend developer, but just thinking out loud.

Improve this question
2
  • 1
    So, you are sending the password to users so they can unlock a protected asset?
    – schroeder
    Commented Jan 19, 2022 at 7:53
  • Yes @schroeder, that's true. It's a private list that can only be accessed by users who have a password.
    – boddhisattva
    Commented Jan 19, 2022 at 11:55

1 Answer 1

Reset to default
3

Custom header (or custom use of the Authorization header, or technically you could use Basic auth but please don't) is the only option... if it actually needs to be a GET. Why should it, though? You already control the API and the client. Just make it a POST request and put the credentials in the body, same as every login flow.

The critical thing is to keep the credentials out of anywhere likely to be logged. URLs are therefore a bad idea (and additionally, they can be read over somebody's shoulder, stored in browser history/favorites, etc.). Authorization headers are good; those are known to contain secrets. Totally custom headers are probably fine, though I'd put the string "password" in the header name (e.g. X-Password) as some logging systems recognize strings like that as a "don't log this value" signal. Request bodies are frequently not logged, so that's usually OK, but again you should make the field containing the password (be in JSON, YAML, URL-encoded form data, etc.) be called something with "password" in the name, just in case.

Improve this answer
1
  • thank you very much for your answer :) I think your suggestion of making it a POST makes a lot of sense and in rails specifically there is a way to do this using a file called: config/initalizers/filter_parameter_logging.rb Please accept my apologies for not accepting your answer earlier, I wanted to wait for a couple of days to see if anybody else had other suggestions that they may want to recommend in the context of my question.
    – boddhisattva
    Commented Jan 23, 2022 at 18:28

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .