In the upcoming RefApp 2.11 release, we’ve considered including the openmrs-module-spa module. We’re not doing this to include any
esm (microfrontend features) per se; rather, to lower the bar for people to experiment with microfrontends (e.g., opening the door to demonstrating something on demo.openmrs.org, the ability to tell someone running RefApp 2.11 that they just need to point the spa module to their esm of choice to try it out, etc).
What are your thoughts about including spa module in this Fall’s RefApp?
The module looks pretty simple, but we’d want to make sure we aren’t introducing security issues (e.g., unauthorized access to data or the file system).
- I don’t think there are any data authentication issues, since I believe it only accesses specific global properties and any data access is done between clients and our REST apis.
- It does appear to serve up static content from the file system. Are we certain that clients can only request files at or below that location in the file system? e.g., introducing something like “…/…/…/…/etc/passwd” in the URL can’t reach files above the designated base file?