Page MenuHomePhabricator
Differential D11290

[native][web] Expose Device List RPCs to JS
ClosedPublic
Actions

Authored by bartek on Mar 11 2024, 6:15 AM.
Tags
None
Referenced Files
F6252552: D11290.diff
Fri, Apr 25, 4:34 AM
Unknown Object (File)
Thu, Apr 24, 8:29 AM
Unknown Object (File)
Thu, Apr 24, 5:58 AM
Unknown Object (File)
Thu, Apr 24, 5:14 AM
Unknown Object (File)
Thu, Apr 24, 4:29 AM
Unknown Object (File)
Wed, Apr 23, 9:49 PM
Unknown Object (File)
Tue, Apr 22, 9:43 PM
Unknown Object (File)
Mar 25 2025, 4:42 PM
View All 99 Files
Subscribers
ashoat
tomek

Details

Reviewers
kamil
michal
Commits
rCOMM8105e6af9a3e: [native][web] Expose Device List RPCs to JS
Summary

These RPCs were exposed to JS but not added to the Identity context.

Test Plan

Called them manually on both native and web and verified they're callable as expected.

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

bartek created this revision.Mar 11 2024, 6:15 AM
bartek held this revision as a draft.
Herald added subscribers: tomek, ashoat. · View Herald TranscriptMar 11 2024, 6:15 AM
bartek added a child revision: D11291: [native][web] Expose Secondary device registration RPC to JS.Mar 11 2024, 6:16 AM
Harbormaster failed remote builds in B27420: Diff 37968!Mar 11 2024, 6:29 AM
bartek updated this revision to Diff 37981.Mar 11 2024, 6:47 AM

Rebase

bartek edited the summary of this revision. (Show Details)Mar 11 2024, 7:01 AM
bartek edited the test plan for this revision. (Show Details)
Harbormaster completed remote builds in B27433: Diff 37981.Mar 11 2024, 7:19 AM
bartek published this revision for review.Mar 11 2024, 7:27 AM
bartek added inline comments.
lib/types/identity-service-types.js
135 ↗(On Diff #37981)

This RPC should be available only on native (primary device)

ashoat added inline comments.Mar 11 2024, 7:00 PM
lib/types/identity-service-types.js
135 ↗(On Diff #37981)

Can you add a comment explaining why it's optional, like there is on publishWebPrekeys?

web/grpc/identity-service-client-wrapper.js
476 ↗(On Diff #37981)

Can we undo this change?

kamil requested changes to this revision.Mar 12 2024, 8:53 AM

Looks good, just requesting changes to address my and @ashoat's comments

lib/types/identity-service-types.js
174–177 ↗(On Diff #37981)

I know it's trivial but can we add a validator here and when returning result return this using assertWithValidator?
This will maintain convention we have for IdentityServiceClient to validate each Identity response

This revision now requires changes to proceed.Mar 12 2024, 8:53 AM
kamil added 1 blocking reviewer(s): michal.Mar 12 2024, 9:02 AM

@michal is moving the Identity client to worker now so should review this code as well

bartek updated this revision to Diff 38060.Mar 14 2024, 6:03 AM

Added validator, added comment and fixed accidental newlines

michal accepted this revision.Mar 14 2024, 6:06 AM
Harbormaster completed remote builds in B27503: Diff 38060.Mar 14 2024, 6:19 AM
kamil accepted this revision.Mar 14 2024, 6:37 AM
This revision is now accepted and ready to land.Mar 14 2024, 6:37 AM
Closed by commit rCOMM8105e6af9a3e: [native][web] Expose Device List RPCs to JS (authored by bartek). · Explain WhyMar 19 2024, 4:18 AM
This revision was automatically updated to reflect the committed changes.
bartek added a commit: rCOMM8105e6af9a3e: [native][web] Expose Device List RPCs to JS.

Revision Contents
Changeset List

PathSize
lib/
types/
17 lines
native/
identity-service/
37 lines
web/
grpc/
27 lines

Diff 37968

View Options

lib/types/identity-service-types.js

use actix_web::FromRequest; use actix_web::FromRequest;
use chrono::Utc; use chrono::Utc;
use comm_services_lib::{ use comm_services_lib::{
auth::UserIdentity, auth::{AuthService, AuthorizationCredential},
blob::client::{BlobServiceClient, BlobServiceError}, blob::client::{BlobServiceClient, BlobServiceError},
crypto::aes256, crypto::aes256,
database, database,
}; };
use derive_more::{Display, Error, From}; use derive_more::{Display, Error, From};
use std::{ use std::{
collections::HashMap, collections::HashMap,
future::{ready, Ready}, future::{ready, Future},
pin::Pin,
sync::Arc, sync::Arc,
}; };
use tracing::{error, trace}; use tracing::{error, trace, warn};
use crate::{ use crate::{
config::CONFIG, config::CONFIG,
database::{ database::{
client::{DatabaseClient, ReportsPage}, client::{DatabaseClient, ReportsPage},
item::{ReportContent, ReportItem}, item::{ReportContent, ReportItem},
}, },
email::{config::EmailConfig, ReportEmail}, email::{config::EmailConfig, ReportEmail},
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines ) -> Self {
Self { Self {
db, db,
blob_client, blob_client,
requesting_user_id: None, requesting_user_id: None,
email_config: email_config.map(Arc::new), email_config: email_config.map(Arc::new),
} }
} }
pub fn authenticated(&self, user: UserIdentity) -> Self { /// Clones the service with a new auth identity. When the credential is
let user_id = user.user_id.to_string(); /// a service-to-service, the `user_id` is None.
pub fn with_authentication(&self, token: AuthorizationCredential) -> Self {
let requesting_user_id = match &token {
AuthorizationCredential::ServicesToken(_) => None,
AuthorizationCredential::UserToken(user) => {
Some(user.user_id.to_string())
}
};
Self { Self {
db: self.db.clone(), db: self.db.clone(),
email_config: self.email_config.clone(), email_config: self.email_config.clone(),
blob_client: self.blob_client.with_user_identity(user), blob_client: self.blob_client.with_authentication(token),
requesting_user_id: Some(user_id), requesting_user_id,
} }
} }
pub async fn save_reports( pub async fn save_reports(
&self, &self,
inputs: Vec<ReportInput>, inputs: Vec<ReportInput>,
) -> ServiceResult<Vec<ReportID>> { ) -> ServiceResult<Vec<ReportID>> {
let mut reports = Vec::with_capacity(inputs.len()); let mut reports = Vec::with_capacity(inputs.len());
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesimpl ReportsService {
) -> ServiceResult<ReportsPage> { ) -> ServiceResult<ReportsPage> {
let page = self.db.scan_reports(cursor, page_size).await?; let page = self.db.scan_reports(cursor, page_size).await?;
Ok(page) Ok(page)
} }
} }
impl FromRequest for ReportsService { impl FromRequest for ReportsService {
type Error = actix_web::Error; type Error = actix_web::Error;
type Future = Ready<Result<Self, actix_web::Error>>; type Future = Pin<Box<dyn Future<Output = Result<Self, actix_web::Error>>>>;
#[inline] #[inline]
fn from_request( fn from_request(
req: &actix_web::HttpRequest, req: &actix_web::HttpRequest,
_payload: &mut actix_web::dev::Payload, _payload: &mut actix_web::dev::Payload,
) -> Self::Future { ) -> Self::Future {
use actix_web::error::{ErrorForbidden, ErrorInternalServerError};
use actix_web::HttpMessage; use actix_web::HttpMessage;
let Some(service) = req.app_data::<ReportsService>() else { let base_service =
req.app_data::<ReportsService>().cloned().ok_or_else(|| {
tracing::error!( tracing::error!(
"FATAL! Failed to extract ReportsService from actix app_data. \ "FATAL! Failed to extract ReportsService from actix app_data. \
Check HTTP server configuration" Check HTTP server configuration"
); );
return ready(Err(actix_web::error::ErrorInternalServerError("Internal server error"))); ErrorInternalServerError("Internal server error")
}; });
let auth_service = let auth_service =
if let Some(user_identity) = req.extensions().get::<UserIdentity>() { req.app_data::<AuthService>().cloned().ok_or_else(|| {
tracing::trace!("Found user identity. Creating authenticated service"); tracing::error!(
service.authenticated(user_identity.clone()) "FATAL! Failed to extract AuthService from actix app_data. \
} else { Check HTTP server configuration"
tracing::trace!(
"No user identity found. Leaving unauthenticated service"
); );
service.clone() ErrorInternalServerError("Internal server error")
}; });
let request_auth_value =
req.extensions().get::<AuthorizationCredential>().cloned();
ready(Ok(auth_service)) Box::pin(async move {
let auth_service = auth_service?;
let base_service = base_service?;
// This is Some for endpoints hidden behind auth validation middleware
let auth_token = match request_auth_value {
Some(token @ AuthorizationCredential::UserToken(_)) => token,
Some(_) => {
// Reports service shouldn't be called by other services
warn!("Reports service requires user authorization");
return Err(ErrorForbidden("Forbidden"));
}
None => {
// Unauthenticated requests get a service-to-service token
let services_token =
auth_service.get_services_token().await.map_err(|err| {
error!("Failed to get services token: {err}");
ErrorInternalServerError("Internal server error")
})?;
AuthorizationCredential::ServicesToken(services_token)
}
};
let service = base_service.with_authentication(auth_token);
Ok(service)
})
michalUnsubmitted
Not Done
Inline Actions

Do you think it would make sense to move this into authorization middleware? So you can specify something like

.wrap(get_comm_authentication_middleware(AllowedAuth::user()))
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::unauthorized())) // -> this would insert `AuthorizationCredential` with service token automatically
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::services().user()))

I don't remember exactly what the API for the reports service is, but right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

michal: Do you think it would make sense to move this into authorization middleware? So you can specify…
bartekAuthorUnsubmitted
Done
Inline Actions

I played with various solutions a bit (spent a little too long on this).
Your suggestion makes sense in case of API, and looks like it is doable.

However, regarding having protected and unprotected endpoints:

right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

This is expected, we don't authenticate endpoints yet because we don't have client token.
However, this code works well with your existing auth middleware - endpoints wrapped with it will return 401 even before this code is executed.

so in the future, when we have client token, doing the following will work:

let auth_middleware = get_comm_authentication_middleware();

// this will require client token and fail if not provided
  web::scope("/authenticated")
    .wrap(auth_middleware)
    .service(...)

// this will accept both authenticated and anonymous requests.
// for the latter, service-to-service token will be obtained
  web::scope("/anonymous")
    // .wrap(auth_middleware) // no wrap
    .service(...)

To conclude, I might refactor to look more as you suggested, but it makes more sense to do it later when we have client token available (2nd part of my task that is currently blocked). I can create a follow up task for this if you wish

bartek: I played with various solutions a bit (spent a little too long on this). Your suggestion makes…
michalUnsubmitted
Not Done
Inline Actions

Makes sense, I got confused a bit

michal: Makes sense, I got confused a bit
} }
} }
struct ProcessedReport { struct ProcessedReport {
id: ReportID, id: ReportID,
db_item: ReportItem, db_item: ReportItem,
email: ReportEmail, email: ReportEmail,
} }
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines
View Options

native/identity-service/identity-service-context-provider.react.js

use actix_web::FromRequest; use actix_web::FromRequest;
use chrono::Utc; use chrono::Utc;
use comm_services_lib::{ use comm_services_lib::{
auth::UserIdentity, auth::{AuthService, AuthorizationCredential},
blob::client::{BlobServiceClient, BlobServiceError}, blob::client::{BlobServiceClient, BlobServiceError},
crypto::aes256, crypto::aes256,
database, database,
}; };
use derive_more::{Display, Error, From}; use derive_more::{Display, Error, From};
use std::{ use std::{
collections::HashMap, collections::HashMap,
future::{ready, Ready}, future::{ready, Future},
pin::Pin,
sync::Arc, sync::Arc,
}; };
use tracing::{error, trace}; use tracing::{error, trace, warn};
use crate::{ use crate::{
config::CONFIG, config::CONFIG,
database::{ database::{
client::{DatabaseClient, ReportsPage}, client::{DatabaseClient, ReportsPage},
item::{ReportContent, ReportItem}, item::{ReportContent, ReportItem},
}, },
email::{config::EmailConfig, ReportEmail}, email::{config::EmailConfig, ReportEmail},
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines ) -> Self {
Self { Self {
db, db,
blob_client, blob_client,
requesting_user_id: None, requesting_user_id: None,
email_config: email_config.map(Arc::new), email_config: email_config.map(Arc::new),
} }
} }
pub fn authenticated(&self, user: UserIdentity) -> Self { /// Clones the service with a new auth identity. When the credential is
let user_id = user.user_id.to_string(); /// a service-to-service, the `user_id` is None.
pub fn with_authentication(&self, token: AuthorizationCredential) -> Self {
let requesting_user_id = match &token {
AuthorizationCredential::ServicesToken(_) => None,
AuthorizationCredential::UserToken(user) => {
Some(user.user_id.to_string())
}
};
Self { Self {
db: self.db.clone(), db: self.db.clone(),
email_config: self.email_config.clone(), email_config: self.email_config.clone(),
blob_client: self.blob_client.with_user_identity(user), blob_client: self.blob_client.with_authentication(token),
requesting_user_id: Some(user_id), requesting_user_id,
} }
} }
pub async fn save_reports( pub async fn save_reports(
&self, &self,
inputs: Vec<ReportInput>, inputs: Vec<ReportInput>,
) -> ServiceResult<Vec<ReportID>> { ) -> ServiceResult<Vec<ReportID>> {
let mut reports = Vec::with_capacity(inputs.len()); let mut reports = Vec::with_capacity(inputs.len());
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesimpl ReportsService {
) -> ServiceResult<ReportsPage> { ) -> ServiceResult<ReportsPage> {
let page = self.db.scan_reports(cursor, page_size).await?; let page = self.db.scan_reports(cursor, page_size).await?;
Ok(page) Ok(page)
} }
} }
impl FromRequest for ReportsService { impl FromRequest for ReportsService {
type Error = actix_web::Error; type Error = actix_web::Error;
type Future = Ready<Result<Self, actix_web::Error>>; type Future = Pin<Box<dyn Future<Output = Result<Self, actix_web::Error>>>>;
#[inline] #[inline]
fn from_request( fn from_request(
req: &actix_web::HttpRequest, req: &actix_web::HttpRequest,
_payload: &mut actix_web::dev::Payload, _payload: &mut actix_web::dev::Payload,
) -> Self::Future { ) -> Self::Future {
use actix_web::error::{ErrorForbidden, ErrorInternalServerError};
use actix_web::HttpMessage; use actix_web::HttpMessage;
let Some(service) = req.app_data::<ReportsService>() else { let base_service =
req.app_data::<ReportsService>().cloned().ok_or_else(|| {
tracing::error!( tracing::error!(
"FATAL! Failed to extract ReportsService from actix app_data. \ "FATAL! Failed to extract ReportsService from actix app_data. \
Check HTTP server configuration" Check HTTP server configuration"
); );
return ready(Err(actix_web::error::ErrorInternalServerError("Internal server error"))); ErrorInternalServerError("Internal server error")
}; });
let auth_service = let auth_service =
if let Some(user_identity) = req.extensions().get::<UserIdentity>() { req.app_data::<AuthService>().cloned().ok_or_else(|| {
tracing::trace!("Found user identity. Creating authenticated service"); tracing::error!(
service.authenticated(user_identity.clone()) "FATAL! Failed to extract AuthService from actix app_data. \
} else { Check HTTP server configuration"
tracing::trace!(
"No user identity found. Leaving unauthenticated service"
); );
service.clone() ErrorInternalServerError("Internal server error")
}; });
let request_auth_value =
req.extensions().get::<AuthorizationCredential>().cloned();
ready(Ok(auth_service)) Box::pin(async move {
let auth_service = auth_service?;
let base_service = base_service?;
// This is Some for endpoints hidden behind auth validation middleware
let auth_token = match request_auth_value {
Some(token @ AuthorizationCredential::UserToken(_)) => token,
Some(_) => {
// Reports service shouldn't be called by other services
warn!("Reports service requires user authorization");
return Err(ErrorForbidden("Forbidden"));
}
None => {
// Unauthenticated requests get a service-to-service token
let services_token =
auth_service.get_services_token().await.map_err(|err| {
error!("Failed to get services token: {err}");
ErrorInternalServerError("Internal server error")
})?;
AuthorizationCredential::ServicesToken(services_token)
}
};
let service = base_service.with_authentication(auth_token);
Ok(service)
})
michalUnsubmitted
Not Done
Inline Actions

Do you think it would make sense to move this into authorization middleware? So you can specify something like

.wrap(get_comm_authentication_middleware(AllowedAuth::user()))
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::unauthorized())) // -> this would insert `AuthorizationCredential` with service token automatically
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::services().user()))

I don't remember exactly what the API for the reports service is, but right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

michal: Do you think it would make sense to move this into authorization middleware? So you can specify…
bartekAuthorUnsubmitted
Done
Inline Actions

I played with various solutions a bit (spent a little too long on this).
Your suggestion makes sense in case of API, and looks like it is doable.

However, regarding having protected and unprotected endpoints:

right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

This is expected, we don't authenticate endpoints yet because we don't have client token.
However, this code works well with your existing auth middleware - endpoints wrapped with it will return 401 even before this code is executed.

so in the future, when we have client token, doing the following will work:

let auth_middleware = get_comm_authentication_middleware();

// this will require client token and fail if not provided
  web::scope("/authenticated")
    .wrap(auth_middleware)
    .service(...)

// this will accept both authenticated and anonymous requests.
// for the latter, service-to-service token will be obtained
  web::scope("/anonymous")
    // .wrap(auth_middleware) // no wrap
    .service(...)

To conclude, I might refactor to look more as you suggested, but it makes more sense to do it later when we have client token available (2nd part of my task that is currently blocked). I can create a follow up task for this if you wish

bartek: I played with various solutions a bit (spent a little too long on this). Your suggestion makes…
michalUnsubmitted
Not Done
Inline Actions

Makes sense, I got confused a bit

michal: Makes sense, I got confused a bit
} }
} }
struct ProcessedReport { struct ProcessedReport {
id: ReportID, id: ReportID,
db_item: ReportItem, db_item: ReportItem,
email: ReportEmail, email: ReportEmail,
} }
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines
View Options

web/grpc/identity-service-client-wrapper.js

use actix_web::FromRequest; use actix_web::FromRequest;
use chrono::Utc; use chrono::Utc;
use comm_services_lib::{ use comm_services_lib::{
auth::UserIdentity, auth::{AuthService, AuthorizationCredential},
blob::client::{BlobServiceClient, BlobServiceError}, blob::client::{BlobServiceClient, BlobServiceError},
crypto::aes256, crypto::aes256,
database, database,
}; };
use derive_more::{Display, Error, From}; use derive_more::{Display, Error, From};
use std::{ use std::{
collections::HashMap, collections::HashMap,
future::{ready, Ready}, future::{ready, Future},
pin::Pin,
sync::Arc, sync::Arc,
}; };
use tracing::{error, trace}; use tracing::{error, trace, warn};
use crate::{ use crate::{
config::CONFIG, config::CONFIG,
database::{ database::{
client::{DatabaseClient, ReportsPage}, client::{DatabaseClient, ReportsPage},
item::{ReportContent, ReportItem}, item::{ReportContent, ReportItem},
}, },
email::{config::EmailConfig, ReportEmail}, email::{config::EmailConfig, ReportEmail},
▲ Show 20 LinesShow All 42 Lines▼ Show 20 Lines ) -> Self {
Self { Self {
db, db,
blob_client, blob_client,
requesting_user_id: None, requesting_user_id: None,
email_config: email_config.map(Arc::new), email_config: email_config.map(Arc::new),
} }
} }
pub fn authenticated(&self, user: UserIdentity) -> Self { /// Clones the service with a new auth identity. When the credential is
let user_id = user.user_id.to_string(); /// a service-to-service, the `user_id` is None.
pub fn with_authentication(&self, token: AuthorizationCredential) -> Self {
let requesting_user_id = match &token {
AuthorizationCredential::ServicesToken(_) => None,
AuthorizationCredential::UserToken(user) => {
Some(user.user_id.to_string())
}
};
Self { Self {
db: self.db.clone(), db: self.db.clone(),
email_config: self.email_config.clone(), email_config: self.email_config.clone(),
blob_client: self.blob_client.with_user_identity(user), blob_client: self.blob_client.with_authentication(token),
requesting_user_id: Some(user_id), requesting_user_id,
} }
} }
pub async fn save_reports( pub async fn save_reports(
&self, &self,
inputs: Vec<ReportInput>, inputs: Vec<ReportInput>,
) -> ServiceResult<Vec<ReportID>> { ) -> ServiceResult<Vec<ReportID>> {
let mut reports = Vec::with_capacity(inputs.len()); let mut reports = Vec::with_capacity(inputs.len());
▲ Show 20 LinesShow All 101 Lines▼ Show 20 Linesimpl ReportsService {
) -> ServiceResult<ReportsPage> { ) -> ServiceResult<ReportsPage> {
let page = self.db.scan_reports(cursor, page_size).await?; let page = self.db.scan_reports(cursor, page_size).await?;
Ok(page) Ok(page)
} }
} }
impl FromRequest for ReportsService { impl FromRequest for ReportsService {
type Error = actix_web::Error; type Error = actix_web::Error;
type Future = Ready<Result<Self, actix_web::Error>>; type Future = Pin<Box<dyn Future<Output = Result<Self, actix_web::Error>>>>;
#[inline] #[inline]
fn from_request( fn from_request(
req: &actix_web::HttpRequest, req: &actix_web::HttpRequest,
_payload: &mut actix_web::dev::Payload, _payload: &mut actix_web::dev::Payload,
) -> Self::Future { ) -> Self::Future {
use actix_web::error::{ErrorForbidden, ErrorInternalServerError};
use actix_web::HttpMessage; use actix_web::HttpMessage;
let Some(service) = req.app_data::<ReportsService>() else { let base_service =
req.app_data::<ReportsService>().cloned().ok_or_else(|| {
tracing::error!( tracing::error!(
"FATAL! Failed to extract ReportsService from actix app_data. \ "FATAL! Failed to extract ReportsService from actix app_data. \
Check HTTP server configuration" Check HTTP server configuration"
); );
return ready(Err(actix_web::error::ErrorInternalServerError("Internal server error"))); ErrorInternalServerError("Internal server error")
}; });
let auth_service = let auth_service =
if let Some(user_identity) = req.extensions().get::<UserIdentity>() { req.app_data::<AuthService>().cloned().ok_or_else(|| {
tracing::trace!("Found user identity. Creating authenticated service"); tracing::error!(
service.authenticated(user_identity.clone()) "FATAL! Failed to extract AuthService from actix app_data. \
} else { Check HTTP server configuration"
tracing::trace!(
"No user identity found. Leaving unauthenticated service"
); );
service.clone() ErrorInternalServerError("Internal server error")
}; });
let request_auth_value =
req.extensions().get::<AuthorizationCredential>().cloned();
ready(Ok(auth_service)) Box::pin(async move {
let auth_service = auth_service?;
let base_service = base_service?;
// This is Some for endpoints hidden behind auth validation middleware
let auth_token = match request_auth_value {
Some(token @ AuthorizationCredential::UserToken(_)) => token,
Some(_) => {
// Reports service shouldn't be called by other services
warn!("Reports service requires user authorization");
return Err(ErrorForbidden("Forbidden"));
}
None => {
// Unauthenticated requests get a service-to-service token
let services_token =
auth_service.get_services_token().await.map_err(|err| {
error!("Failed to get services token: {err}");
ErrorInternalServerError("Internal server error")
})?;
AuthorizationCredential::ServicesToken(services_token)
}
};
let service = base_service.with_authentication(auth_token);
Ok(service)
})
michalUnsubmitted
Not Done
Inline Actions

Do you think it would make sense to move this into authorization middleware? So you can specify something like

.wrap(get_comm_authentication_middleware(AllowedAuth::user()))
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::unauthorized())) // -> this would insert `AuthorizationCredential` with service token automatically
// or
.wrap(get_comm_authentication_middleware(AllowedAuth::services().user()))

I don't remember exactly what the API for the reports service is, but right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

michal: Do you think it would make sense to move this into authorization middleware? So you can specify…
bartekAuthorUnsubmitted
Done
Inline Actions

I played with various solutions a bit (spent a little too long on this).
Your suggestion makes sense in case of API, and looks like it is doable.

However, regarding having protected and unprotected endpoints:

right now this diff would allow everyone to "authenticate" to the reports service by just not providing credentials (and get the service token by default). This should probably be scoped per (group of) endpoints.

This is expected, we don't authenticate endpoints yet because we don't have client token.
However, this code works well with your existing auth middleware - endpoints wrapped with it will return 401 even before this code is executed.

so in the future, when we have client token, doing the following will work:

let auth_middleware = get_comm_authentication_middleware();

// this will require client token and fail if not provided
  web::scope("/authenticated")
    .wrap(auth_middleware)
    .service(...)

// this will accept both authenticated and anonymous requests.
// for the latter, service-to-service token will be obtained
  web::scope("/anonymous")
    // .wrap(auth_middleware) // no wrap
    .service(...)

To conclude, I might refactor to look more as you suggested, but it makes more sense to do it later when we have client token available (2nd part of my task that is currently blocked). I can create a follow up task for this if you wish

bartek: I played with various solutions a bit (spent a little too long on this). Your suggestion makes…
michalUnsubmitted
Not Done
Inline Actions

Makes sense, I got confused a bit

michal: Makes sense, I got confused a bit
} }
} }
struct ProcessedReport { struct ProcessedReport {
id: ReportID, id: ReportID,
db_item: ReportItem, db_item: ReportItem,
email: ReportEmail, email: ReportEmail,
} }
▲ Show 20 LinesShow All 78 LinesShow Last 20 Lines