DOC Update references to graphql basic-auth

Co-authored-by: Garion Herman <garion@silverstripe.com>
Co-authored-by: Maxime Rainville <maxime@silverstripe.com>
This commit is contained in:
Steve Boyd 2021-02-15 15:15:30 +13:00
parent 8b28c5647b
commit 8167c6f3ef
2 changed files with 20 additions and 3 deletions

View File

@ -43,11 +43,13 @@ the [CSRF Middleware](csrf_protection) enabled. (It is by default).**
### HTTP basic authentication ### HTTP basic authentication
Silverstripe CMS has built-in support for [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). Silverstripe CMS has built-in support for [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
There is a `BasicAuthAuthenticator` which is configured for GraphQL by default, but
There is a `BasicAuthAuthenticator` which can be configured for GraphQL that
will only activate when required. It is kept separate from the SilverStripe CMS will only activate when required. It is kept separate from the SilverStripe CMS
authenticator because GraphQL needs to use the successfully authenticated member authenticator because GraphQL needs to use the successfully authenticated member
for CMS permission filtering, whereas the global `BasicAuth` does not log the for CMS permission filtering, whereas the global `BasicAuth` does not log the
member in or use it for model security. member in or use it for model security. Note that basic auth will bypass MFA authentication
so if MFA is enabled it is not recommended that you also use basic auth for graphql.
When using HTTP basic authentication, you can feel free to remove the [CSRF Middleware](csrf_protection), When using HTTP basic authentication, you can feel free to remove the [CSRF Middleware](csrf_protection),
as it just adds unnecessary overhead to the request. as it just adds unnecessary overhead to the request.
@ -95,7 +97,7 @@ is applicable in the current request context (provided as an argument).
Here's an example for implementing HTTP basic authentication: Here's an example for implementing HTTP basic authentication:
[notice] [notice]
Note that basic auth is enabled by default. Note that basic authentication for graphql will bypass Multi-Factor Authentication (MFA) if that's enabled. Using basic authentication for graphql is considered insecure if you are using MFA .
[/notice] [/notice]
```yaml ```yaml

View File

@ -59,3 +59,18 @@ remove this shim. We expect this happen within just one minor release, making `_
Based on feedback from users, we've reduced the time period of the "remember me" checkbox on the login form from Based on feedback from users, we've reduced the time period of the "remember me" checkbox on the login form from
90 to 30 days. This value is configurable via `SilverStripe\Security\RememberLoginHash::token_expiry_days`. 90 to 30 days. This value is configurable via `SilverStripe\Security\RememberLoginHash::token_expiry_days`.
## Security patches
This release contains security patches. Some of those patches might require some
updates to your project.
* [CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth](https://www.silverstripe.org/download/security-releases/CVE-2020-26136)
### CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth {#CVE-2020-26136}
The Silverstripe CMS graphql endpoint on `/admin/graphql` can be accessed via basic authentication and bypass Multi-Factor Authentication (MFA).
The basic-auth authenticator is no longer enabled by default. The regular member authenticator is still enabled and
protects the `/admin/graphql` endpoint.
If your site does not use MFA, or you understand that it can be bypassed, then the basic authenticator can be
reinstalled with the [following configuration](/docs/en/02_Developer_Guides/19_GraphQL/04_security_and_best_practices/01_authentication.md#defining-your-own-authenticators).