Page MenuHomePhabricator

[comm-lib] Verify CSAT in HTTP middleware
ClosedPublic

Authored by bartek on Jun 13 2024, 1:04 AM.
Tags
None
Referenced Files
Unknown Object (File)
Sat, Dec 21, 2:55 PM
Unknown Object (File)
Sat, Dec 21, 2:55 PM
Unknown Object (File)
Sat, Dec 21, 2:55 PM
Unknown Object (File)
Sat, Dec 21, 2:55 PM
Unknown Object (File)
Sat, Dec 21, 2:54 PM
Unknown Object (File)
Tue, Dec 3, 6:06 PM
Unknown Object (File)
Wed, Nov 27, 1:17 PM
Unknown Object (File)
Nov 23 2024, 7:39 PM
Subscribers

Details

Summary

Updated the HTTP middleware function to verify authorization credential, unless verification is disabled.

Depends on D12412, D12413

Test Plan

At this point, test plan from D12412 also requires credentials to be valid (token present in Identity).

Diff Detail

Repository
rCOMM Comm
Lint
No Lint Coverage
Unit
No Test Coverage

Event Timeline

bartek held this revision as a draft.

Disable verification in commtest

bartek published this revision for review.Jun 13 2024, 1:53 AM
bartek added inline comments.
shared/comm-lib/src/auth/types.rs
44–46

This is used only in low level logs (debug/trace). If this is still too dangerous, I'll remove the user_id entirely

shared/comm-lib/src/auth/types.rs
44–46

Will these logs appear in production?

shared/comm-lib/src/auth/types.rs
44–46

No, we need to explicitly lower log level to debug (we do it only on staging) or even lower to trace (I do it only locally in dev env)

shared/comm-lib/src/auth/types.rs
44–46

Thanks for explaining!

This revision is now accepted and ready to land.Jun 17 2024, 8:59 PM