Hello everyone :)
I’m in the process of building a kinda odd mechanism to bypass authentication. Which of course I know is stupid, but many business requirements are stupid… So it is a design that derives from business decision which state that user authentication is an impediment, also the code on the client’s backed must not be intrusive.
To explain. I have a web application and a ClientWebApp which has an SDK I’ve made that exposes an API so he can easily use it in his code and interact with that web application.
The ClientWebApp is using HTTPS POST to call my web application including some user data that my web application needs in order to work. This communication happens with a client_credentials OAuth token… So far so good. The web application is storing all this information in its database and it generates a unique URL with a dynamic segment (UUID) which UUIDcorresponds to the key of the database entry of the incoming information from the ClientWebApp.
Now the ClientWebApp is redirecting the user to that unique URL (which is actually my web application) and if the web application can find an unused UUID that matches with the UUID in the URL path it lets the user browse. Right after the match, the UUID gets invalidated so that the user is not able to refresh and sees his information.
So my web application has no authentication (HTTPS of course) but only responds to “non-guessable” URLs that have been passed via HTTPS POST.
Now I’m thinking of a scenario where a malicious person goes to a cafe or something and opens up a public wi-fi and starts sniffing the traffic, and a “dumb” end-user in the same cafe logs in automatically and starts using it as his wi-fi.
Will the malicious person be able to set a rule or something that will cut the connection when my URL comes through, intercept that URL and use it to impersonate the end-user and see their data?
I kind of feel that the answer is an absolute yes but at the same time, I’m not quite sure…
PS: There are many ways of tackling this otherwise but in this example I can’t create a public endpoint on ClientWebApps server that I can check something with him, also authentication is out of the question when the user enters the page. Though all of that happen inside a very secure ClientWebApp (so the user has logged properly)..