GSoC-2021 with OpenMRS week 8
I marine a scenario if a Nurse can create and/or delete a user in the system. This is definitely an authentication bypass because such privilege should only be owned by system administrators.
I worked on three issues last week
# Authentication bypass to administration functions.
# Password strength meter implementation.
# anti-CSRF implementation independent of spring security.
Authentication bypass to administration functions.
I have created a filter in the legacyui-module that checks every request pointing to the administration functions (and/or resources) for the System Administrator privilege. After this is merged, it might solve most of the privilege issues we might be having in the system.
Password strength meter implementation
Password strength is a measure of the effectiveness of a password against guessing or brute-force attacks. The strength of a password is a function of length, complexity, and unpredictability.
A password strength meter on the other hand is an indicator, either in graphical or text form, of the strength of a password as entered by a user.
I had decided to use a JQuery password strength meter plugin to simplify coding and embrace better graphics and animations.
However, different OpenMRS implementation have different password requirements, meaning i had to customize the above plugin to get the password requirements variables from the environment variables. I got to realize that this might need more time and i will continue working on it after this GSoC period.
anti-CSRF implementation independent of spring security
Adding spring security to core and upgrading the core-version in reference application to use the latest snapshot version of core, will cost us the need to upgrade almost all the modules used by the OpenMRS-reference-application-module and refactor some logic of Test class in this module. This ain't a simple task. It might require some time.
I tried another alternative this week. I tried creating my own random token in the OpenMRS-reference-application-module and verifying it from the filter. This is a better alternative, might save more time, I am still working on this.
Thanks for reading :)
