Page MenuHomePhabricator
Create Task
Maniphest T360948

Create a WAF rule to inspect the json request body for create-user call
Closed, ResolvedPublic3 Estimated Story Points
Actions

Description

In order to deny request propagation that uses email associated with any domains of a domain_denylist, we need to create a WAF rule.

To do

  • Add a rule for the WAF of auth API service. The WAF should be able to inspect the json request body. A typical json request body looks like as follows:
{
  "email": "user@example.com",
  "username": "username",
  "password": "userpassword",
  "policy_version": "v1.1",
  "policy_date_accept": "2023-03-10T12:34:56.789Z",
  "marketing_emails": "false",
  "captcha_id": "somecaptcha_id",
  "captcha_solution": "somecaptcha_solution"
}

If (for example) the domain_denylist is ["example.com", "abc.com"], the request above should not be forwarded.

Note: Use the same domain_denylist variable from IaC that we will use dashboard and auth service.

AWS docs: https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonBody.html
Terraform docs: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl

Acceptance criteria

  • On dev, set up a test domain_denylist. Send a request from dev dashboard using email with the domain from deny list. See that your request does not reach Auth service.
  • Check cloudwatch logs for auth service. You should not see the /create-user log related to your request.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits