2

My organization employs a number of services that expose REST interfaces. POST, PUT or DELETE requests to such an interface can be destructive. Using firewalls and user authentication, we can restrict the accces to authorized personel. I'd like to take it one step further and require approval from two persons before a request is handled by the application server.

Is there a reverse proxy that I can employ in between the user(s) and the application server such that any GET request if forwarded to the application server immediatelly. However, any POST or PUT request is delayed until approved on an interactive web page. (The requests in question typically contain a JSON body and the URL and HTTP verb is quite descriptive.)

So, if Alice does

curl -XDELETE https://some.api/important/resource,

this won't have an effect until Bob opens a web browser and explicitly OKs it. Alice may use a script to perfom the operation, but Bob has to be present at the browser and verify the request.

Jan
  • 121
  • 2

2 Answers2

2

First off, this sounds very much like trying to use technology to solve a non-tech problem, which I'm always weary of.

That said, I can't imagine any off-the-shelf/out-of-box software that will do this, since it's a slightly odd, if not somewhat valid, requirement.

What you could do however is intercept the requests with methods of concern and foward them to a script which then saves them somewhere (SQL, file, Redis, etc..). These requests should probaly return a generic JSON object that states their request has been queued for approval so users don't think they've failed.

The administrative user(s) then load(s) another page which lists the request queue, and approves them as needed. The approved requests could be immediately resubmitted by Bob's session, or they could be dispatched to a worker process that does them in the background.

GregL
  • 9,370
  • 2
  • 25
  • 36
  • Your answer basically describes my question. This is exactly what I am looking for. To answer the concern in your first line. In my use case, it is actually meant for self-protection. Alice and Bob are both fully trusted to do perform the changes. However, we have shot ourselves in the foot recently with a powerful command line script. Thus, I prefer an additional check. – Jan Jun 23 '15 at 12:01
0

You can do it in Apache. Something like (writing from memory) should do it:

<Location /api>
  AuthType Basic
  AuthName "API authentication"
  AuthUserFile /path/to/htusers
  AuthGroupFile  /path/to/htgroups

  Require valid-user

  # Write user group
  <Limit DELETE>
    Require group superusers
  </Limit>
</Location>

This will allow any user in your htusers file to run GET, POST, PUT etc. However, DELETE will be limited to anyone in the "superusers" group

chriscowley
  • 523
  • 4
  • 17
  • I'm sorry if my question was not clear. Your answer describes the status quo. I want to take this further such that no one can make a DELETE request without a 2nd confirmation. – Jan Jun 03 '15 at 09:59