Reactive - Security Warning  You're exposing a Server Action for public access
Question
Application Type
Reactive
Service Studio Version
11.10.1 (Build 35288)

Hi,

I am getting Security Warning as below

"You're exposing a Server Action for public access and without authentication. Consider removing the Anonymous Role from this Screen."

I am getting above warning for the screen that I want to be accessible to Anonymous uses also. Hence cant able to uncheck the screen. How to get rid of this warning? 



Thanks

mvp_badge
MVP

Hi Rohan,

There is not really a way to get rid of the warning other then hiding it by right-clicking the warning and select "Hide Warning". 

Since your screen has the Anonymous Role checked, it means that the REST service that will be generated by the platform for your exposed Server Action will also not have any Authentication enabled for it.

Make sure to read the Reactive web security best practices.

Regards,

Nordin

So, Since Forgot password doesn't need any authentication means anybody can access that screen. So I can't unchecked Anonymous role for that screen. Is there any other programmatic way to get rid of this warning? 

mvp_badge
MVP

Hi Rohan,

Have you tried wrapping the Server action in a Client action like suggested in the below linked post I shared earlier?

Yes I tried but result is same with warning.

mvp_badge
MVP

Hi Rohan,

If the purpose is to simply get rid of the security message, you can expose the Server action from a different Producer module (for example a Core module) and add it as a dependency in to your current (consumer) module.

EDIT: it is confirmed that this is a bug that needs to be fixed. The Security Warning should also apply to exposed Server Actions that are consumed from other modules.

Regards,

Nordin

mvp_badge
MVP

It seems wrapping the Server Action in a Client Action will get rid of the warning, but afaik the generated REST service will still be exposed without Authentication.

https://www.outsystems.com/forums/discussion/56039/security-warning-when-using-server-actions-on-pages-that-allows-anonymous-access/

Regards,

Nordin

Hi Nordin,

I can imagine that these server actions will very much be implemented in the same way as the Service Actions under the hood. These Service Actions are only accessible from the same environment. Do you happen to know if something like this is also in place for the 'reactive' server actions?

mvp_badge
MVP

Hi Lennart,

From what I understood, same does not apply to Server Actions when it comes to accessibility from the same environment. They need to be publicly accessible (from the browser) when exposed via a screen.

Regards,

Nordin

Hi Nordin  bro,

I have the same above warning when I created a Sign-up Server Action which is used in Sign up screen.

I tried to Copy the DoLogin() action (This one is available to the public (the Login screen has the Anonymous role is selected) . Then, I drag it to client action on Sign up screen => the warning message is resolved.

But, if I change that action name (ex: DoSignUp))

=> unselect Anonymous 

=> select Anonymous  again

=> the warning message appears.

Next, I change that action name to the new name which contains "DoLogin" text =>  the warning message is resolved.

It's weird. The name action just only contains "Login" text, the warning will resolved.

I wonder why is that?

Plz kindly help me to understand and resovle it.
Thanks!!

Chris

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.