Re: [TEST] Test "POC for CSRF Token"

2020-03-28 Thread James Yong 
Hi Jacques,

For 1, seems like a ICsrfDefenseStrategy class implementation issue. We can use 
another Jira for the enhancement / discussion when this JIRA (OFBIZ-11306) is 
completed. 

For 2, csrf-token check is independent of auth check, and the current 
implementation should work as it is. So reviewing whether auth="false" be 
"true", should be in another JIRA (i.e. OFBIZ-4956). If there is a need for all 
auth="false" to default to csrf-token="false", we can implement another 
ICsrfDefenseStrategy class or modify the existing CsrfDefenseStrategy class.

Regards,
James

On 2020/03/27 18:16:58, Jacques Le Roux  wrote: 
> Hi All,
> 
> Before I create a PR as a last opportunity to allow reviews and tests, I'd 
> like to ask 2 last questions:
> 
>  1. should we not use a JWT rather than a (pseudo) random value for the CSRF 
> token, this for timeout reason? Don't get me wrong I'm sure that the
> random values generated by java.security.SecureRandom, as currently used, 
> are safe enough. It's just that I wonder about the timeout. Should we care?
>  2. In relation with OFBIZ-4956, we need to check the remaining 195 cases 
> where auth="false" and decide if we should change to "true", with the CSRF
> defense then used by default. In other cases (auth="false" must remain) 
> we need to decide if should set the CSRF token check to false.
> 
> Apart that my 
> https://github.com/JacquesLeRoux/ofbiz-framework/tree/POC-for-CSRF-Token-OFBIZ-11306
>  branch is ready to create a PR. We can't wait too 
> long about those 2 points, even if the 2nd needs a "bit" of work. Anyway, for 
> now I'll wait answers, and hopefully help for OFBIZ-4956.
> 
> Thanks
> 
> Jacques
> 
> 
> Le 26/03/2020 à 07:39, James Yong a écrit :
> > +1 with CSRF defense enabled in Demo
> >   
> >> Hi,
> >>
> >> I thought about that a bit more. I suggest to let the stable version 
> >> (soon, R17) as is, ie with  CSRF defense enabled. This way users, mostly
> >> interested in stable, would  see the real situation.
> >>
> >> And to use the NoCsrfDefenseStrategy in trunk. So developers, often 
> >> brought to use the trunk for development reasons, would have more 
> >> latitude; as
> >> they certainly will do locally.
> >>
> >> If nobody disagree we will do so at 
> >> https://issues.apache.org/jira/browse/OFBIZ-11472 with Swapnil
> >>
> >> If we do so, the link 
> >> https://demo-stable.ofbiz.apache.org/ordermgr/control/main?USERNAME=admin=ofbiz=Y
> >>  will no longer work.
> >>
> >> https://demo-stable.ofbiz.apache.org/ordermgr should be used and we need 
> >> to update https://ofbiz.apache.org/ofbiz-demos.html for that.
> >>
> >> Jacques
> >>
> >>
>

Re: GraphQL API for OFBiz

2020-03-28 Thread Girish Vasmatkar 
Hi Guys -

I've attached video link of the demo held on 03/27 to the ticket
https://issues.apache.org/jira/browse/OFBIZ-11347. Let me know should you
have any questions.

Best Regards,
Girish


On Sat, Mar 28, 2020 at 2:56 PM Girish Vasmatkar <
girish.vasmat...@hotwaxsystems.com> wrote:

> Hi Pierre
>
> Yes, the demo went well barring some network glitches:).It was recorded as
> well so I will put the details on the ticket. Thanks for your interest.
>
> Best,
> Girish
>
>
>
>
> On Sat, Mar 28, 2020 at 1:30 PM Pierre Smits 
> wrote:
>
>> Hi Girish,
>>
>> How did your presentation go? Unfortunately I was unable to
>> attend/participate, but am curious.
>>
>> Will you capture highlights and put those in the ticket?
>>
>> Mvg
>>
>> Pierre
>>
>> Op vr 27 mrt. 2020 10:13 schreef Deepak Dixit :
>>
>> > Great initiative Girish.
>> >
>> > Thanks & Regards
>> > --
>> > Deepak Dixit
>> > ofbiz.apache.org
>> >
>> >
>> > On Thu, Mar 26, 2020 at 9:18 PM Girish Vasmatkar <
>> > girish.vasmat...@hotwaxsystems.com> wrote:
>> >
>> > > Hi All
>> > >
>> > > I'm planning an introduction of the OFBiz-GraphQL component that we
>> have
>> > > developed so far. Please find below the hangout meet details -
>> > >
>> > > Date : 03/27/2020 9:00 PM IST, 11:30 AM EST, 3:30 PM GMT.
>> > > Join Hangout Meet : https://meet.google.com/gja-jdwt-wpi
>> > > Join By Phone : +1 661-237-5173‬ PIN: ‪585 477 050‬#
>> > >
>> > > Meeting agenda -
>> > >
>> > >- GraphQL briefing
>> > >   - Queries
>> > >   - Mutations
>> > >- OFBiz-GraphQL component
>> > >   - Architecture
>> > >   - Entity Fetchers
>> > >   - Service Fetchers
>> > >- What Next
>> > >   - Pagination
>> > >   - Interface
>> > >   - Batching
>> > >   - Subscriptions
>> > >
>> > >
>> > > Best Regards
>> > > Girish Vasmatkar
>> > >
>> > >
>> > >
>> > > On Wed, Feb 12, 2020 at 7:04 PM Girish Vasmatkar <
>> > > girish.vasmat...@hotwaxsystems.com> wrote:
>> > >
>> > > > Thanks Pierre.
>> > > >
>> > > > Here's the ticket for the same. I'll keep posting updates to it.
>> > > >
>> > > > https://issues.apache.org/jira/browse/OFBIZ-11347
>> > > >
>> > > > Best,
>> > > > Girish
>> > > >
>> > > > On Mon, Feb 10, 2020 at 4:48 PM Pierre Smits <
>> pierresm...@apache.org>
>> > > > wrote:
>> > > >
>> > > >> Hi Girish,
>> > > >>
>> > > >> Thank you for making the greater OFBiz community aware of this
>> > > endeavour.
>> > > >> I
>> > > >> welcome such initiatives as it increases the appeal of our main
>> > product.
>> > > >> Not only does it increase the appeal of OFBiz for (potential)
>> > adopters,
>> > > >> but
>> > > >> it may also lead to more parties willing to contribute.
>> > > >>
>> > > >> Best regards,
>> > > >>
>> > > >> Pierre Smits
>> > > >> *Proud* *contributor* (but without privileges)* of* Apache OFBiz
>> > > >> , since 2008
>> > > >>
>> > > >> *Apache Trafodion , Vice President*
>> > > >> *Apache Directory , PMC Member*
>> > > >> Apache Incubator , committer
>> > > >> Apache Steve , committer
>> > > >>
>> > > >>
>> > > >> On Mon, Feb 10, 2020 at 11:40 AM Girish Vasmatkar <
>> > > >> girish.vasmat...@hotwaxsystems.com> wrote:
>> > > >>
>> > > >> > Hello
>> > > >> >
>> > > >> > I had been working on adding GraphQL support to OFBiz and could
>> come
>> > > up
>> > > >> > with something that might be of interest to the community.
>> Wanted to
>> > > >> gauge
>> > > >> > community's interest on the same.
>> > > >> >
>> > > >> > Essentially, I have first tried to enable GraphQL support such
>> that
>> > > >> OFBiz
>> > > >> > is able to server GraphQL queries, mutations and subscriptions as
>> > per
>> > > >> the
>> > > >> > GraphQL specification (http://spec.graphql.org/). The Java
>> GraphQL
>> > > >> library
>> > > >> > mostly takes care of it.
>> > > >> >
>> > > >> > The other major part is writing GraphQL schema and I have tried
>> to
>> > > >> include
>> > > >> > both SDL and programmatic approach to generate the schema.
>> Included
>> > a
>> > > >> demo
>> > > >> > query in the SDL approach to showcase hw OFBiz can server GraphQL
>> > > >> requests.
>> > > >> >
>> > > >> > This is the part that I feel needs more work in order to make it
>> > more
>> > > >> > generalised and I am still working on this.
>> > > >> >
>> > > >> > I have included GraphiQL(https://github.com/graphql/graphiql)
>> and
>> > > >> > Playground (https://github.com/prisma-labs/graphql-playground)
>> as
>> > two
>> > > >> > visual editor tools as well.
>> > > >> >
>> > > >> > Here's the github link for the plug in.
>> > > >> > https://github.com/hotwax/ofbiz-graphql
>> > > >> >
>> > > >> > Any feedback, questions, concerns or suggestions are welcome.
>> > > >> >
>> > > >> > Best,
>> > > >> > Girish
>> > > >> >
>> > > >>
>> > > >
>> > >
>> >
>>
>

Re: Demo instance for OFBiz 17.12 release and remove 13.07 demo

2020-03-28 Thread Swapnil M Mane 
Hello team,
I am planning to upgrade the demo instances next week.
If you have any feedback or thoughts,
please feel free to comment at
https://issues.apache.org/jira/browse/OFBIZ-11472


- Best regards,
Swapnil M Mane,
ofbiz.apache.org



On Mon, Mar 23, 2020 at 3:48 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Thank you very much Swapnil!
>
> Jacques
>
> Le 23/03/2020 à 03:56, Swapnil M Mane a écrit :
> > Hello team,
> > The progress of upgrading demo instances can be tracked at
> > https://issues.apache.org/jira/browse/OFBIZ-11472
> >
> > The Pull Request and notes on steps to be executed on OFBiz VM
> > for setting demo instance are mentioned in Jira comment at
> > https://s.apache.org/o95vx
> >
> > Please have a look and let me know your kind feedback.
> > Thank you so much Jacques Le Roux for your inputs and guidance in this.
> >
> > - Best regards,
> > Swapnil M Mane,
> > ofbiz.apache.org
> >
> > On Sun, Mar 15, 2020 at 9:29 PM Swapnil M Mane 
> wrote:
> >> Thank you everyone for your response.
> >>
> >> Hi Jacques,
> >> I will take care of this and will sync with you and the team in case
> any help needed.
> >>
> >> Best regards,
> >> Swapnil M Mane,
> >> ofbiz.apache.org
> >>
> >>
> >>
> >> On Sat, Mar 14, 2020 at 4:32 PM Jacques Le Roux <
> jacques.le.r...@les7arts.com> wrote:
> >>> Hi,
> >>>
> >>> Someone will handle it?
> >>>
> >>> Jacques
> >>>
> >>> Le 06/03/2020 à 10:34, Swapnil M Mane a écrit :
>  Hello team,
>  Current we have three demo instances [1] for OFBiz.
> 
>  -- Current Stable Release 16.11 - Demo
>  https://demo-stable.ofbiz.apache.org/ordermgr/control/main
> 
>  -- Developer Trunk - Demo
>  https://demo-trunk.ofbiz.apache.org/ordermgr/control/main
> 
>  -- Previous Stable Release 13.07 - Demo
>  https://demo-old.ofbiz.apache.org/ordermgr/control/main
> 
>  As we have our new OFBiz release 17.12, should we think of taking the
>  following actions:
> 
>  1. The 'Current Stable Release' instance should have release 17.12
>  i.e. demo-stable.ofbiz.apache.org should deploy on release 17.12
> 
>  2. The 'Previous Stable Release' instance should have release 16.11
>  i.e. demo-old.ofbiz.apache.org should deploy on 16.11
> 
>  After this migration, we will *no longer have 13.07 - Demo* instance.
> 
>  Here are some more details about the 13.07 demo instance.
>  The 13.07 instance gets down abruptly very frequently.
>  After this, it requires manual interaction to restart, in recent times
>  Jacques and I manually restarted it many times.
>  Looking at the current scenarios, it seems our users are also not
>  using 13.07 demo instance on a frequent basis, because no one from our
>  users reports us when it is down ;-)
> 
>  [1] https://ofbiz.apache.org/ofbiz-demos.html
> 
>  Best regards,
>  Swapnil M Mane,
>  ofbiz.apache.org
>
>

Re: [TEST] Test "POC for CSRF Token"

2020-03-28 Thread Jacques Le Roux 

Hi Girish,

Thanks for asking!

I have read in several up to date places that it's better to have both. Notably when you use the lax option that I have left users to choice to, 
because this might be needed in some cases. So the CSRF token defense offers a second fence.


OWASP clearly explains why at:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#samesite-cookie-attribute

Other references:
https://security.stackexchange.com/questions/121971/will-same-site-cookies-be-sufficent-protection-against-csrf-and-xss
https://blog.worldline.tech/2018/07/02/same-site-cookie-a-new-protection-against-csrf.html
https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/

Note that if you want to avoid the heaviness and drawbacks of CSRF token defense (yes, though we made our best, there are some) you can use the 
NoCsrfDefenseStrategy. The Same Site Cookie Attribute being set to strict by default will save your back.  BTW this leads me to think that we can now 
use the NoCsrfDefenseStrategy on demos.


Jacques

Le 28/03/2020 à 10:39, Girish Vasmatkar a écrit :

Hi Jacques

I second your points. However, I have the following question -

Since you have explored and followed OWASP very extensively, do you think
with the introduction of same-site attribute, the whole concept of CSRF
token becomes somewhat redundant, provided almost every browser has the
support for this attribute now?
I haven't gone into too much detail, so my understanding on this is
limited. However, from what I understood, same-site has the ability to
become an all-in-one solution for CSRF attacks provided browsers honour it.

Best,
Girish


On Sat, Mar 28, 2020 at 2:39 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:


Hi,

Of course, I have my own opinion. Here are my answers to these questions.

  1. By default in OFBiz the session timeout is 1 hour. After that, OFBiz
generates a new CSRF token before you sign in. I think for OFBiz
applications
 it's enough security. Of course we could have more fancy defenses like
banks which are using random numeric pads for authentication and two-factor
 authentication for important operations. Or companies like GitHub
which use two-factor authentication in case of machine or browser change. I
 don't think it's needed OOTB for OFBiz applications. Some users may
need it but it's then to them to implement what they specifically need. So
 random values generated by java.security.SecureRandom are safe enough
in my opinion.
  2. If someone tries to use a not auth protected request the CSRF defenses
(token + same-site) will not allow it from another domain if csrf-token is
 not set to false. That's already reassuring and we maybe not need to
worry much about the remaining 195 cases where auth="false". Because there
 are some obviously needed, like all those related to login or password
change. For the others it may turn out that they are also needed for other
 reasons. For them we need to test them one by one and in some case
need to set csrf-token to false, for instance in case of requests in an
 anonymous flow. So finally, despite the remaining 195 cases, it should
not be too hard and too long to decide on this.

Also note that with OFBIZ-11470 <
https://issues.apache.org/jira/browse/OFBIZ-11470> we are more secured,
in a CSRF perspective, with the same-site
cookie attribute. It's not perfect in itself, but according to OWASP, it's
the perfect duo for CSRF defense when associated with CSRF tokens.

I continue to work on the remaining 195 cases where auth="false"...

HTH

Jacques

Le 27/03/2020 à 19:16, Jacques Le Roux a écrit :

Hi All,

Before I create a PR as a last opportunity to allow reviews and tests,

I'd like to ask 2 last questions:

1. should we not use a JWT rather than a (pseudo) random value for the

CSRF token, this for timeout reason? Don't get me wrong I'm sure that the

random values generated by java.security.SecureRandom, as currently

used, are safe enough. It's just that I wonder about the timeout. Should we

care?
2. In relation with OFBIZ-4956, we need to check the remaining 195 cases

where auth="false" and decide if we should change to "true", with the CSRF

defense then used by default. In other cases (auth="false" must

remain) we need to decide if should set the CSRF token check to false.

Apart that my

https://github.com/JacquesLeRoux/ofbiz-framework/tree/POC-for-CSRF-Token-OFBIZ-11306
branch is ready to create a PR. We can't wait too

long about those 2 points, even if the 2nd needs a "bit" of work.

Anyway, for now I'll wait answers, and hopefully help for OFBIZ-4956.

Thanks

Jacques


Le 26/03/2020 à 07:39, James Yong a écrit :

+1 with CSRF defense enabled in Demo

Hi,

I thought about that a bit more. I suggest to let the stable version

(soon, R17) as is, ie with  CSRF defense enabled. This way users, mostly

interested in

Re: [TEST] Test "POC for CSRF Token"

2020-03-28 Thread Girish Vasmatkar 
Hi Jacques

I second your points. However, I have the following question -

Since you have explored and followed OWASP very extensively, do you think
with the introduction of same-site attribute, the whole concept of CSRF
token becomes somewhat redundant, provided almost every browser has the
support for this attribute now?
I haven't gone into too much detail, so my understanding on this is
limited. However, from what I understood, same-site has the ability to
become an all-in-one solution for CSRF attacks provided browsers honour it.

Best,
Girish


On Sat, Mar 28, 2020 at 2:39 PM Jacques Le Roux <
jacques.le.r...@les7arts.com> wrote:

> Hi,
>
> Of course, I have my own opinion. Here are my answers to these questions.
>
>  1. By default in OFBiz the session timeout is 1 hour. After that, OFBiz
> generates a new CSRF token before you sign in. I think for OFBiz
> applications
> it's enough security. Of course we could have more fancy defenses like
> banks which are using random numeric pads for authentication and two-factor
> authentication for important operations. Or companies like GitHub
> which use two-factor authentication in case of machine or browser change. I
> don't think it's needed OOTB for OFBiz applications. Some users may
> need it but it's then to them to implement what they specifically need. So
> random values generated by java.security.SecureRandom are safe enough
> in my opinion.
>  2. If someone tries to use a not auth protected request the CSRF defenses
> (token + same-site) will not allow it from another domain if csrf-token is
> not set to false. That's already reassuring and we maybe not need to
> worry much about the remaining 195 cases where auth="false". Because there
> are some obviously needed, like all those related to login or password
> change. For the others it may turn out that they are also needed for other
> reasons. For them we need to test them one by one and in some case
> need to set csrf-token to false, for instance in case of requests in an
> anonymous flow. So finally, despite the remaining 195 cases, it should
> not be too hard and too long to decide on this.
>
> Also note that with OFBIZ-11470 <
> https://issues.apache.org/jira/browse/OFBIZ-11470> we are more secured,
> in a CSRF perspective, with the same-site
> cookie attribute. It's not perfect in itself, but according to OWASP, it's
> the perfect duo for CSRF defense when associated with CSRF tokens.
>
> I continue to work on the remaining 195 cases where auth="false"...
>
> HTH
>
> Jacques
>
> Le 27/03/2020 à 19:16, Jacques Le Roux a écrit :
> > Hi All,
> >
> > Before I create a PR as a last opportunity to allow reviews and tests,
> I'd like to ask 2 last questions:
> >
> > 1. should we not use a JWT rather than a (pseudo) random value for the
> CSRF token, this for timeout reason? Don't get me wrong I'm sure that the
> >random values generated by java.security.SecureRandom, as currently
> used, are safe enough. It's just that I wonder about the timeout. Should we
> > care?
> > 2. In relation with OFBIZ-4956, we need to check the remaining 195 cases
> where auth="false" and decide if we should change to "true", with the CSRF
> >defense then used by default. In other cases (auth="false" must
> remain) we need to decide if should set the CSRF token check to false.
> >
> > Apart that my
> https://github.com/JacquesLeRoux/ofbiz-framework/tree/POC-for-CSRF-Token-OFBIZ-11306
> branch is ready to create a PR. We can't wait too
> > long about those 2 points, even if the 2nd needs a "bit" of work.
> Anyway, for now I'll wait answers, and hopefully help for OFBIZ-4956.
> >
> > Thanks
> >
> > Jacques
> >
> >
> > Le 26/03/2020 à 07:39, James Yong a écrit :
> >> +1 with CSRF defense enabled in Demo
> >>> Hi,
> >>>
> >>> I thought about that a bit more. I suggest to let the stable version
> (soon, R17) as is, ie with  CSRF defense enabled. This way users, mostly
> >>> interested in stable, would  see the real situation.
> >>>
> >>> And to use the NoCsrfDefenseStrategy in trunk. So developers, often
> brought to use the trunk for development reasons, would have more latitude;
> as
> >>> they certainly will do locally.
> >>>
> >>> If nobody disagree we will do so at
> https://issues.apache.org/jira/browse/OFBIZ-11472 with Swapnil
> >>>
> >>> If we do so, the link
> https://demo-stable.ofbiz.apache.org/ordermgr/control/main?USERNAME=admin=ofbiz=Y
> will no longer
> >>> work.
> >>>
> >>> https://demo-stable.ofbiz.apache.org/ordermgr should be used and we
> need to update https://ofbiz.apache.org/ofbiz-demos.html for that.
> >>>
> >>> Jacques
> >>>
> >>>
>

Re: GraphQL API for OFBiz

2020-03-28 Thread Girish Vasmatkar 
Hi Pierre

Yes, the demo went well barring some network glitches:).It was recorded as
well so I will put the details on the ticket. Thanks for your interest.

Best,
Girish




On Sat, Mar 28, 2020 at 1:30 PM Pierre Smits  wrote:

> Hi Girish,
>
> How did your presentation go? Unfortunately I was unable to
> attend/participate, but am curious.
>
> Will you capture highlights and put those in the ticket?
>
> Mvg
>
> Pierre
>
> Op vr 27 mrt. 2020 10:13 schreef Deepak Dixit :
>
> > Great initiative Girish.
> >
> > Thanks & Regards
> > --
> > Deepak Dixit
> > ofbiz.apache.org
> >
> >
> > On Thu, Mar 26, 2020 at 9:18 PM Girish Vasmatkar <
> > girish.vasmat...@hotwaxsystems.com> wrote:
> >
> > > Hi All
> > >
> > > I'm planning an introduction of the OFBiz-GraphQL component that we
> have
> > > developed so far. Please find below the hangout meet details -
> > >
> > > Date : 03/27/2020 9:00 PM IST, 11:30 AM EST, 3:30 PM GMT.
> > > Join Hangout Meet : https://meet.google.com/gja-jdwt-wpi
> > > Join By Phone : +1 661-237-5173‬ PIN: ‪585 477 050‬#
> > >
> > > Meeting agenda -
> > >
> > >- GraphQL briefing
> > >   - Queries
> > >   - Mutations
> > >- OFBiz-GraphQL component
> > >   - Architecture
> > >   - Entity Fetchers
> > >   - Service Fetchers
> > >- What Next
> > >   - Pagination
> > >   - Interface
> > >   - Batching
> > >   - Subscriptions
> > >
> > >
> > > Best Regards
> > > Girish Vasmatkar
> > >
> > >
> > >
> > > On Wed, Feb 12, 2020 at 7:04 PM Girish Vasmatkar <
> > > girish.vasmat...@hotwaxsystems.com> wrote:
> > >
> > > > Thanks Pierre.
> > > >
> > > > Here's the ticket for the same. I'll keep posting updates to it.
> > > >
> > > > https://issues.apache.org/jira/browse/OFBIZ-11347
> > > >
> > > > Best,
> > > > Girish
> > > >
> > > > On Mon, Feb 10, 2020 at 4:48 PM Pierre Smits  >
> > > > wrote:
> > > >
> > > >> Hi Girish,
> > > >>
> > > >> Thank you for making the greater OFBiz community aware of this
> > > endeavour.
> > > >> I
> > > >> welcome such initiatives as it increases the appeal of our main
> > product.
> > > >> Not only does it increase the appeal of OFBiz for (potential)
> > adopters,
> > > >> but
> > > >> it may also lead to more parties willing to contribute.
> > > >>
> > > >> Best regards,
> > > >>
> > > >> Pierre Smits
> > > >> *Proud* *contributor* (but without privileges)* of* Apache OFBiz
> > > >> , since 2008
> > > >>
> > > >> *Apache Trafodion , Vice President*
> > > >> *Apache Directory , PMC Member*
> > > >> Apache Incubator , committer
> > > >> Apache Steve , committer
> > > >>
> > > >>
> > > >> On Mon, Feb 10, 2020 at 11:40 AM Girish Vasmatkar <
> > > >> girish.vasmat...@hotwaxsystems.com> wrote:
> > > >>
> > > >> > Hello
> > > >> >
> > > >> > I had been working on adding GraphQL support to OFBiz and could
> come
> > > up
> > > >> > with something that might be of interest to the community. Wanted
> to
> > > >> gauge
> > > >> > community's interest on the same.
> > > >> >
> > > >> > Essentially, I have first tried to enable GraphQL support such
> that
> > > >> OFBiz
> > > >> > is able to server GraphQL queries, mutations and subscriptions as
> > per
> > > >> the
> > > >> > GraphQL specification (http://spec.graphql.org/). The Java
> GraphQL
> > > >> library
> > > >> > mostly takes care of it.
> > > >> >
> > > >> > The other major part is writing GraphQL schema and I have tried to
> > > >> include
> > > >> > both SDL and programmatic approach to generate the schema.
> Included
> > a
> > > >> demo
> > > >> > query in the SDL approach to showcase hw OFBiz can server GraphQL
> > > >> requests.
> > > >> >
> > > >> > This is the part that I feel needs more work in order to make it
> > more
> > > >> > generalised and I am still working on this.
> > > >> >
> > > >> > I have included GraphiQL(https://github.com/graphql/graphiql) and
> > > >> > Playground (https://github.com/prisma-labs/graphql-playground) as
> > two
> > > >> > visual editor tools as well.
> > > >> >
> > > >> > Here's the github link for the plug in.
> > > >> > https://github.com/hotwax/ofbiz-graphql
> > > >> >
> > > >> > Any feedback, questions, concerns or suggestions are welcome.
> > > >> >
> > > >> > Best,
> > > >> > Girish
> > > >> >
> > > >>
> > > >
> > >
> >
>

Re: [TEST] Test "POC for CSRF Token"

2020-03-28 Thread Jacques Le Roux 

Hi,

Of course, I have my own opinion. Here are my answers to these questions.

1. By default in OFBiz the session timeout is 1 hour. After that, OFBiz 
generates a new CSRF token before you sign in. I think for OFBiz applications
   it's enough security. Of course we could have more fancy defenses like banks 
which are using random numeric pads for authentication and two-factor
   authentication for important operations. Or companies like GitHub which use 
two-factor authentication in case of machine or browser change. I
   don't think it's needed OOTB for OFBiz applications. Some users may need it 
but it's then to them to implement what they specifically need. So
   random values generated by java.security.SecureRandom are safe enough in my 
opinion.
2. If someone tries to use a not auth protected request the CSRF defenses 
(token + same-site) will not allow it from another domain if csrf-token is
   not set to false. That's already reassuring and we maybe not need to worry much about 
the remaining 195 cases where auth="false". Because there
   are some obviously needed, like all those related to login or password 
change. For the others it may turn out that they are also needed for other
   reasons. For them we need to test them one by one and in some case need to 
set csrf-token to false, for instance in case of requests in an
   anonymous flow. So finally, despite the remaining 195 cases, it should not 
be too hard and too long to decide on this.

Also note that with OFBIZ-11470  we are more secured, in a CSRF perspective, with the same-site 
cookie attribute. It's not perfect in itself, but according to OWASP, it's the perfect duo for CSRF defense when associated with CSRF tokens.


I continue to work on the remaining 195 cases where auth="false"...

HTH

Jacques

Le 27/03/2020 à 19:16, Jacques Le Roux a écrit :

Hi All,

Before I create a PR as a last opportunity to allow reviews and tests, I'd like 
to ask 2 last questions:

1. should we not use a JWT rather than a (pseudo) random value for the CSRF 
token, this for timeout reason? Don't get me wrong I'm sure that the
   random values generated by java.security.SecureRandom, as currently used, are safe enough. It's just that I wonder about the timeout. Should we 
care?

2. In relation with OFBIZ-4956, we need to check the remaining 195 cases where 
auth="false" and decide if we should change to "true", with the CSRF
   defense then used by default. In other cases (auth="false" must remain) we 
need to decide if should set the CSRF token check to false.

Apart that my https://github.com/JacquesLeRoux/ofbiz-framework/tree/POC-for-CSRF-Token-OFBIZ-11306 branch is ready to create a PR. We can't wait too 
long about those 2 points, even if the 2nd needs a "bit" of work. Anyway, for now I'll wait answers, and hopefully help for OFBIZ-4956.


Thanks

Jacques


Le 26/03/2020 à 07:39, James Yong a écrit :

+1 with CSRF defense enabled in Demo

Hi,

I thought about that a bit more. I suggest to let the stable version (soon, 
R17) as is, ie with  CSRF defense enabled. This way users, mostly
interested in stable, would  see the real situation.

And to use the NoCsrfDefenseStrategy in trunk. So developers, often brought to 
use the trunk for development reasons, would have more latitude; as
they certainly will do locally.

If nobody disagree we will do so at 
https://issues.apache.org/jira/browse/OFBIZ-11472 with Swapnil

If we do so, the link https://demo-stable.ofbiz.apache.org/ordermgr/control/main?USERNAME=admin=ofbiz=Y will no longer 
work.


https://demo-stable.ofbiz.apache.org/ordermgr should be used and we need to 
update https://ofbiz.apache.org/ofbiz-demos.html for that.

Jacques

Re: GraphQL API for OFBiz

2020-03-28 Thread Pierre Smits 
Hi Girish,

How did your presentation go? Unfortunately I was unable to
attend/participate, but am curious.

Will you capture highlights and put those in the ticket?

Mvg

Pierre

Op vr 27 mrt. 2020 10:13 schreef Deepak Dixit :

> Great initiative Girish.
>
> Thanks & Regards
> --
> Deepak Dixit
> ofbiz.apache.org
>
>
> On Thu, Mar 26, 2020 at 9:18 PM Girish Vasmatkar <
> girish.vasmat...@hotwaxsystems.com> wrote:
>
> > Hi All
> >
> > I'm planning an introduction of the OFBiz-GraphQL component that we have
> > developed so far. Please find below the hangout meet details -
> >
> > Date : 03/27/2020 9:00 PM IST, 11:30 AM EST, 3:30 PM GMT.
> > Join Hangout Meet : https://meet.google.com/gja-jdwt-wpi
> > Join By Phone : +1 661-237-5173‬ PIN: ‪585 477 050‬#
> >
> > Meeting agenda -
> >
> >- GraphQL briefing
> >   - Queries
> >   - Mutations
> >- OFBiz-GraphQL component
> >   - Architecture
> >   - Entity Fetchers
> >   - Service Fetchers
> >- What Next
> >   - Pagination
> >   - Interface
> >   - Batching
> >   - Subscriptions
> >
> >
> > Best Regards
> > Girish Vasmatkar
> >
> >
> >
> > On Wed, Feb 12, 2020 at 7:04 PM Girish Vasmatkar <
> > girish.vasmat...@hotwaxsystems.com> wrote:
> >
> > > Thanks Pierre.
> > >
> > > Here's the ticket for the same. I'll keep posting updates to it.
> > >
> > > https://issues.apache.org/jira/browse/OFBIZ-11347
> > >
> > > Best,
> > > Girish
> > >
> > > On Mon, Feb 10, 2020 at 4:48 PM Pierre Smits 
> > > wrote:
> > >
> > >> Hi Girish,
> > >>
> > >> Thank you for making the greater OFBiz community aware of this
> > endeavour.
> > >> I
> > >> welcome such initiatives as it increases the appeal of our main
> product.
> > >> Not only does it increase the appeal of OFBiz for (potential)
> adopters,
> > >> but
> > >> it may also lead to more parties willing to contribute.
> > >>
> > >> Best regards,
> > >>
> > >> Pierre Smits
> > >> *Proud* *contributor* (but without privileges)* of* Apache OFBiz
> > >> , since 2008
> > >>
> > >> *Apache Trafodion , Vice President*
> > >> *Apache Directory , PMC Member*
> > >> Apache Incubator , committer
> > >> Apache Steve , committer
> > >>
> > >>
> > >> On Mon, Feb 10, 2020 at 11:40 AM Girish Vasmatkar <
> > >> girish.vasmat...@hotwaxsystems.com> wrote:
> > >>
> > >> > Hello
> > >> >
> > >> > I had been working on adding GraphQL support to OFBiz and could come
> > up
> > >> > with something that might be of interest to the community. Wanted to
> > >> gauge
> > >> > community's interest on the same.
> > >> >
> > >> > Essentially, I have first tried to enable GraphQL support such that
> > >> OFBiz
> > >> > is able to server GraphQL queries, mutations and subscriptions as
> per
> > >> the
> > >> > GraphQL specification (http://spec.graphql.org/). The Java GraphQL
> > >> library
> > >> > mostly takes care of it.
> > >> >
> > >> > The other major part is writing GraphQL schema and I have tried to
> > >> include
> > >> > both SDL and programmatic approach to generate the schema. Included
> a
> > >> demo
> > >> > query in the SDL approach to showcase hw OFBiz can server GraphQL
> > >> requests.
> > >> >
> > >> > This is the part that I feel needs more work in order to make it
> more
> > >> > generalised and I am still working on this.
> > >> >
> > >> > I have included GraphiQL(https://github.com/graphql/graphiql) and
> > >> > Playground (https://github.com/prisma-labs/graphql-playground) as
> two
> > >> > visual editor tools as well.
> > >> >
> > >> > Here's the github link for the plug in.
> > >> > https://github.com/hotwax/ofbiz-graphql
> > >> >
> > >> > Any feedback, questions, concerns or suggestions are welcome.
> > >> >
> > >> > Best,
> > >> > Girish
> > >> >
> > >>
> > >
> >
>