Follow-up from #1466.
The state API (state-api.test.compactconnect.org) has 4 endpoints and uses its own Cognito user pool (StateAuthUsers) for machine-to-machine authentication. It was excluded from the ZAP scan because no test credential exists for that pool.
Endpoints not being scanned:
POST /v1/compacts/{compact}/jurisdictions/{jurisdiction}/licensesGET /v1/compacts/{compact}/jurisdictions/{jurisdiction}/licenses/bulk-uploadPOST /v1/compacts/{compact}/jurisdictions/{jurisdiction}/providers/queryGET /v1/compacts/{compact}/jurisdictions/{jurisdiction}/providers/{providerId}
What's needed:
- Provision a test client credential in the StateAuthUsers pool
- Add state-specific secrets to the GitHub repo
- Update
owasp-zap/data/test-automation.yml to re-include the state API context and OpenAPI import
- May need separate authentication flow (machine-to-machine, not SRP)
Follow-up from #1466.
The state API (
state-api.test.compactconnect.org) has 4 endpoints and uses its own Cognito user pool (StateAuthUsers) for machine-to-machine authentication. It was excluded from the ZAP scan because no test credential exists for that pool.Endpoints not being scanned:
POST /v1/compacts/{compact}/jurisdictions/{jurisdiction}/licensesGET /v1/compacts/{compact}/jurisdictions/{jurisdiction}/licenses/bulk-uploadPOST /v1/compacts/{compact}/jurisdictions/{jurisdiction}/providers/queryGET /v1/compacts/{compact}/jurisdictions/{jurisdiction}/providers/{providerId}What's needed:
owasp-zap/data/test-automation.ymlto re-include the state API context and OpenAPI import