HomeForumsDevelopersGeneral developer's discussion

Online Booking Security and Users

Submitted by Ben_Charlton on Thu, 29/08/2019 - 12:42
in

Online booking api was a great adition

and the new user addition is great as well - however

 

The majority of users of OpenVMS use fairly rubbish passwords - ie usually 2 initials because the systems are fairly locked down in terms of outside access this is rarely an issue.  However, with the new user system, it requires users are ticked for Online booking ...which unless I am wrong means thier credentials can also be used for the API.

 

I think we need to differentiate -

1. Because the user logged in to the API is recorded as the user who created the appointment  - which is incorrect - 

2. By setting a single set of credentials for the api we can create better password security

3.  A set of credentials is not necessarily a clinician.

‹ using AWS or Office 365 logins Butterfly Systems Integration ›

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Re: Online Booking Security and Users

Submitted by Ben_Charlton on Thu, 29/08/2019 - 12:44.

The role based credential system doesnt really cover this - because some clinicians are also administrators and thus have complete access.

 

Regards
 
Ben 
OpenVPMS Installer and Helper 
Ph: +61423044823 
Email: info[at]charltonit.com[dot]au

Re: Online Booking Security and Users

Submitted by tanderson on Sun, 01/09/2019 - 23:38.

The Online Booking role is a restricted role and was aimed to assigned to a user created solely for the purposes of online booking.

The expectation was that a PetYeti or Vetstoria account would be created with just that role.

Re: Online Booking Security and Users

Submitted by Ascot_Vet_Surgery on Tue, 03/09/2019 - 10:32.

Yes,   I understand what the role was for - but the catch is that any user with the admin role can log in to the online booking API using their standard credentials.

Every client I have worked on uses absolutely rubbish passwords.  So this effectively means that I can on average access peoples online booking portals using "admin: admin" as a password - because I have seen a number of installs that never changed that.

My point was that the Online Booking role was just a subset of authorities - it doesnt limit login to the api to that user 

The end result is the api is insecure - while we can all limit access via firewalls and url filtering - there is still a basic insecurity - I mean the api provides a very fast way to brute force a password and username.

The security of OpenVPMS has been a long-time concern - and implementers work around its security failings by using vpns and firewalls to ensure malicious attacks cant access the database - which stores 1000's of customer's personal info.    While rapidly logging into the login page testing usernames can be slow ...the booking api isnt - its a perfect place to gain password access and then use those credentials to access the main login page.

The credentials that can be used in the booking API - should have a custom authority or checkbox that only allow its usage for that purpose.

 

 

 

 

Re: Online Booking Security and Users

Submitted by tanderson on Wed, 04/09/2019 - 08:03.

The booking API shouldn't be publicly accessible, unless you use https and you've changed security.user to require strong passwords. You can do this by setting a minimum length and specifying a regular expression for validation. In terms of security, the booking API is no weaker than the login page.

Syndicate content