Cesium Engine not using authentication header

Hey Team,

Is there a way to configure cesium engine to use an authentication header. At the moment our access tokens are being used in plain text as a query parameter.

https://api.cesium.com/v1/assets/2/endpoint?access_token=

Hi,

I have moved your query to the Cesium Js forum. They should be able to assist you best with your cesium-engine quesiton.

Thanks,
Ankit

Hi @rileyhowley,

Would you be able to share more about the motivations and your use case for needing to change this? I don’t believe there’s any way to do it without changing the CesiumJS source code or creating your own resource classes (which may or may not be overkill here?)

The motivation behind this is that we use a multitude of monitoring tools with varying levels of access to folks across the business. URLs that are called are logged, and custom logic for each logging tool to exclude access tokens from the query params logged is not our preference. Using an auth header protects us from accidentally logging tokens

The issue with using the Authorization header from a browser based application is that in the OPTIONS request Access-Control-Allow-Credentials header must be set to true which requires Access-Control-Allow-Origin header to be set to a specific domain that is making the request. This opens a security hole that would allow any site to make a request as a logged in ion user, using cookie credentials.

Hi all,

After a quick discussion it has resulted in a issue with naming, as the access_token is essentially an API key and can be locked down to specific applications, therefore, it is rather difficult and rare that this token could be used in a malicious way. As well on this topic, the access_token allows access to public Ion data and assets from your cesium ion account.

We have now mitigated the issue on our side as this is not a security concern. If a token did become abused then its simple enough to roll it.

Shout out to the team that cleared this up!

Cheers

1 Like