Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token Validation for API calls, fix #354 #372

Merged
merged 7 commits into from
Jan 12, 2023
Merged

Token Validation for API calls, fix #354 #372

merged 7 commits into from
Jan 12, 2023

Conversation

kamicut
Copy link
Member

@kamicut kamicut commented Jan 11, 2023
edited
Loading

This implements:

  1. token extraction from authorized API calls that have Bearer <access_token>
  2. checks if the access token is valid by sending it to the /introspect route in the auth proxy (check 5470dc5)
  3. extracts the sub trait from the resulting token and adds it to the session

This will allow API calls from third party applications to use access tokens to authenticate with the API.

I also added isAuthenticated for routes that need simply to have the session and session user ids in the can middleware.

@vercel
Copy link

vercel bot commented Jan 11, 2023
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated
osm-teams ✅ Ready (Inspect) Visit Preview Jan 12, 2023 at 5:36PM (UTC)

@kamicut kamicut requested a review from vgeorge January 11, 2023 15:22
@LanesGood
Copy link
Member

@kamicut does this close issue 354?

@kamicut
Copy link
Member Author

kamicut commented Jan 11, 2023

Yes! I forgot the issue number, it fixes #354

@kamicut kamicut changed the title Token Validation for API calls Token Validation for API calls, fix #354 Jan 11, 2023
vgeorge
vgeorge requested changes Jan 12, 2023
View reviewed changes
Copy link
Member

@vgeorge vgeorge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kamicut this look good overall, lets try to add test coverage for a HTTP agent, as discussed.

src/middlewares/base-handler.js Outdated Show resolved Hide resolved
src/pages/api/auth/[...nextauth].js Outdated Show resolved Hide resolved
@kamicut kamicut requested a review from vgeorge January 12, 2023 17:40
vgeorge
vgeorge reviewed Jan 12, 2023
View reviewed changes
src/pages/api/introspect.js
* purposes, it mocks the hydra access token introspection
*/
export default async function handler(req, res) {
if (req.method === 'POST') {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kamicut I suggest adding a check here to avoid exposing this route outside testing:

if (process.env.TESTING !== 'true' || req.method !== 'POST') {
  throw Boom.notFound()
}

vgeorge
vgeorge requested changes Jan 12, 2023
View reviewed changes
Copy link
Member

@vgeorge vgeorge left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kamicut I think we are almost there, should we add a test for a route in 'manage' folder?

@vgeorge vgeorge self-requested a review January 12, 2023 19:17
@kamicut kamicut merged commit 0e62ca6 into develop Jan 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vgeorge vgeorge vgeorge approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kamicut @LanesGood @vgeorge