mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
DOC Update references to graphql basic-auth
Co-authored-by: Garion Herman <garion@silverstripe.com> Co-authored-by: Maxime Rainville <maxime@silverstripe.com>
This commit is contained in:
parent
8b28c5647b
commit
8167c6f3ef
@ -43,11 +43,13 @@ the [CSRF Middleware](csrf_protection) enabled. (It is by default).**
|
|||||||
### HTTP basic authentication
|
### HTTP basic authentication
|
||||||
|
|
||||||
Silverstripe CMS has built-in support for [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
|
Silverstripe CMS has built-in support for [HTTP basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication).
|
||||||
There is a `BasicAuthAuthenticator` which is configured for GraphQL by default, but
|
|
||||||
|
There is a `BasicAuthAuthenticator` which can be configured for GraphQL that
|
||||||
will only activate when required. It is kept separate from the SilverStripe CMS
|
will only activate when required. It is kept separate from the SilverStripe CMS
|
||||||
authenticator because GraphQL needs to use the successfully authenticated member
|
authenticator because GraphQL needs to use the successfully authenticated member
|
||||||
for CMS permission filtering, whereas the global `BasicAuth` does not log the
|
for CMS permission filtering, whereas the global `BasicAuth` does not log the
|
||||||
member in or use it for model security.
|
member in or use it for model security. Note that basic auth will bypass MFA authentication
|
||||||
|
so if MFA is enabled it is not recommended that you also use basic auth for graphql.
|
||||||
|
|
||||||
When using HTTP basic authentication, you can feel free to remove the [CSRF Middleware](csrf_protection),
|
When using HTTP basic authentication, you can feel free to remove the [CSRF Middleware](csrf_protection),
|
||||||
as it just adds unnecessary overhead to the request.
|
as it just adds unnecessary overhead to the request.
|
||||||
@ -95,7 +97,7 @@ is applicable in the current request context (provided as an argument).
|
|||||||
Here's an example for implementing HTTP basic authentication:
|
Here's an example for implementing HTTP basic authentication:
|
||||||
|
|
||||||
[notice]
|
[notice]
|
||||||
Note that basic auth is enabled by default.
|
Note that basic authentication for graphql will bypass Multi-Factor Authentication (MFA) if that's enabled. Using basic authentication for graphql is considered insecure if you are using MFA .
|
||||||
[/notice]
|
[/notice]
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
|
@ -59,3 +59,18 @@ remove this shim. We expect this happen within just one minor release, making `_
|
|||||||
Based on feedback from users, we've reduced the time period of the "remember me" checkbox on the login form from
|
Based on feedback from users, we've reduced the time period of the "remember me" checkbox on the login form from
|
||||||
90 to 30 days. This value is configurable via `SilverStripe\Security\RememberLoginHash::token_expiry_days`.
|
90 to 30 days. This value is configurable via `SilverStripe\Security\RememberLoginHash::token_expiry_days`.
|
||||||
|
|
||||||
|
## Security patches
|
||||||
|
|
||||||
|
This release contains security patches. Some of those patches might require some
|
||||||
|
updates to your project.
|
||||||
|
|
||||||
|
* [CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth](https://www.silverstripe.org/download/security-releases/CVE-2020-26136)
|
||||||
|
|
||||||
|
### CVE-2020-26136 GraphQL doesn't honour MFA when using basic auth {#CVE-2020-26136}
|
||||||
|
|
||||||
|
The Silverstripe CMS graphql endpoint on `/admin/graphql` can be accessed via basic authentication and bypass Multi-Factor Authentication (MFA).
|
||||||
|
The basic-auth authenticator is no longer enabled by default. The regular member authenticator is still enabled and
|
||||||
|
protects the `/admin/graphql` endpoint.
|
||||||
|
|
||||||
|
If your site does not use MFA, or you understand that it can be bypassed, then the basic authenticator can be
|
||||||
|
reinstalled with the [following configuration](/docs/en/02_Developer_Guides/19_GraphQL/04_security_and_best_practices/01_authentication.md#defining-your-own-authenticators).
|
||||||
|
Loading…
x
Reference in New Issue
Block a user