Type: New Feature
Affects Version/s: None
Fix Version/s: None
Work for GPII-3711 requires 3 additional security checks for HTTP requests from NOVA:
1. Verify IP addresses of incoming requests to ensure they are within NOVA IP range;
2. Only NOVA computers have privilege to retrieve and save user settings for nonexistent GPII keys, in which case the specified GPII key and its associated preference safes will be automatically created;
3. Verify preferences to be saved against a list of preferences that are allowed to be updated/created.
Adjustments to APIs to accomplish these security checks:
- /access_token handler:
1. verify ip addresses;
2. if a client credential in the request doesn't have privilege to create new GPII keys and prefs safes but it requests access to a nonexistent GPII key, this request will be rejected.
- /settings PUT handler:
If "allowedPrefsToWrite" is defined, all preference keys must be in this array. Any request to create or update preferences that are not allowed will be rejected.