Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a hideToken option to avoid sending the token via querystring #1378

Closed
wants to merge 1 commit into from

Conversation

BrunoCaimar
Copy link
Contributor

  • Our security scanning does not allow sending tokens via GET anymore
  • Sending the token via the request header does not work because map services do not allow the preflight request

This can potentially fix #1364.

+ Company security scanning does not allow sending tokens via GET anymore
+ Sending the token via the request header does not work because map services do not allow the preflight request
@BrunoCaimar BrunoCaimar marked this pull request as ready for review October 13, 2023 12:38
@patrickarlt
Copy link
Contributor

@BrunoCaimar I took the day talk this through with internal teams at Esri. The consensus is that this behavior (token in the query string for GET requests) isn't really something we want to work around by making everything POST requests. The main issue is that POST requests are not cached anywhere in the system and this would defeat the work we have some to make feature layer requests tileable, cacheable and repeatable for the best performance. In the case of viral or heavily accessed feature services you would almost certainly run into rate limiting.

In order to hide the token in GET requests and still have the queries be cacheable we would need the server to properly handle preflighting OPTIONS requests. This could be done but it means that you double the number of requests and introduce another 150-200ms request-response cycle to do the preflightling which was judged as an unacceptable performance hit.

To mitigate this you can do the following:

  • If you are accessing private user data use short lived tokens via oAuth 2.0 with PKCE. This will mean that tokens that do exist in logs are short lived in will likely be invalid by the time they could be used maliciously. This is the approach taken by the ArcGIS Maps SDK for JavaScript by default.
  • If you are using API keys we recommend rotating keys on a regular basic for the same reasons above. We recommend this in our best practices
  • If you using API Keys and want shorter expiration times for tokens you could switch to app credential authentication and generate a short lived token on the server to use on the client. Since these tokens expire quickly you can simply generate as many tokens as you need with short expiration.

@BrunoCaimar BrunoCaimar deleted the hideTokenOption branch October 20, 2023 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Token is exposed in GET request
2 participants