Page MenuHomePhabricator

[services-lib] Support auth token in HTTP middleware
ClosedPublic

Authored by bartek on Sep 20 2023, 2:57 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Nov 25, 8:15 PM
Unknown Object (File)
Mon, Nov 25, 5:45 PM
Unknown Object (File)
Fri, Nov 22, 6:08 PM
Unknown Object (File)
Wed, Nov 13, 12:00 AM
Unknown Object (File)
Oct 27 2024, 4:14 AM
Unknown Object (File)
Oct 13 2024, 7:54 PM
Unknown Object (File)
Oct 13 2024, 7:54 PM
Unknown Object (File)
Oct 13 2024, 7:54 PM
Subscribers

Details

Summary

Modified auth middleware to support both new auth token enum and existing UserIdentity (as a case of that enum). The whole credential enum is now parsed and stored in the extension.

The UserIdentity case is now handled by accessing the token enum first.

Depends on D9242

Test Plan

Created test endpoint in reports service:

  • Argument of type UserIdentity still works as before
  • Argument of type AuthorizationCredential works the same way too - we're able to read UserIdentity from it
  • If we pass services token where we expect UserIdentity, a HTTP 403 is returned
  • Middleware gate (validation function) works for both

Diff Detail

Repository
rCOMM Comm
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

bartek held this revision as a draft.
bartek published this revision for review.Sep 20 2023, 3:02 AM
michal added inline comments.
services/comm-services-lib/src/http/auth.rs
60–76 ↗(On Diff #31307)

This is fine, but would it be possible to map the AuthorizationCredential future (from futures crate or somewhere else)?

This revision is now accepted and ready to land.Sep 20 2023, 5:45 AM
services/comm-services-lib/src/http/auth.rs
60–76 ↗(On Diff #31307)

Yes, this was my initial code (import futures_util::FutureExt)

let fut =
  AuthorizationCredential::from_request(req, payload).map(
    |auth| match auth {
      Ok(AuthorizationCredential::UserToken(user)) => Ok(user.clone()),
      Ok(_) => {
        debug!("Authorization provided, but it's not UserIdentity");
        let mut error = AuthenticationError::new(Bearer::default());
        *error.status_code_mut() = StatusCode::FORBIDDEN;
        Err(error.into())
      }
      Err(err) => Err(err),
    },
  );

The only reason I decided to await instead is less indentation. But I don't know if there are any other implications (performance, async scheduling, etc.). In the end, both give the same result.