-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy pathstackhawk-auth-json-token.yml
56 lines (56 loc) · 2.96 KB
/
stackhawk-auth-json-token.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# Username and password credentials via a JSON POST w/ header token for access to authorized routes.
app:
applicationId: xxXXXXXX-xXXX-xxXX-XXxX-xXXxxXXXXxXX
env: Development
host: ${APP_HOST:http://localhost:9000}
# How should the scanner authenticate to your application when performing a scan.
authentication:
# A username/password based authentication scheme
usernamePassword:
# The Content-Type expected by the loginPath JSON = application/json
type: JSON
# The path to POST username/password credentials to.
loginPath: /login
# The name of the username field
usernameField: email
# The name of the password field
passwordField: password
# The value of the username field
scanUsername: "[email protected]"
# The value of the password field
scanPassword: ${SCAN_PASSWORD:changeme}
# Extra fields and their values to be included in the POST data to loginPath
# in addition to the username/password.
otherParams:
- name: "rememberMe"
val: "true"
# If your authentication state is not maintained server side via a Cookie
# the tokenExtraction describes how to extract the token from the supplied credential type
# like usernamePassword in this case. The token extracted will be the value used by tokenAuthorization
# for access to authenticated routes.
tokenExtraction:
# The type of extraction. In this case we're expecting the authorization token
# To be in the JSON payload response from the authentication step.
type: TOKEN_PATH
# The location of the token in the json payload. eg: {"authorization" : {"token": "myauthtoken"}, ...}
value: "authentication.token"
# Token based authorization. If your app doesn't use cookies to maintain session/authorization state then
# you'll likely need to pass the token on every request to the authenticated routes of your application.
tokenAuthorization:
# The method by which the token will be passed to your application.
# In this case a header is expected
type: HEADER
# The name of the header that the token will be passed with requests authenticated routes.
value: Authorization
# The token type when using the Authorization header as is being used here.
# Bearer is the most common value but custom names like "JWT" or "token" are sometimes required.
tokenType: Bearer
# The testPath configuration is used to confirm scanning as an authenticated user is configured successfully.
testPath:
# The type is either HEADER or BODY and informs the success or fail regex of what part of the response to match against.
type: HEADER
# A path to validate that authentication was successful. This path should be only accessible to authenticated users.
path: /profile
# Success criteria regex pattern.
# A successful match indicates that the response from the path specified was successful
success: ".*200.*"