Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): secure admin api with hmac signatures #2709

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

feat(auth): secure admin api with hmac signatures #2709

wants to merge 7 commits into from

Conversation

njlie
Copy link
Contributor

@njlie njlie commented May 7, 2024
edited

Changes proposed in this pull request

  • Added signature header verification to Auth Server Admin API

Context

Closes #2704.

Checklist

  • Related issues linked using fixes #number
  • Tests added/updated
  • Documentation added
  • Make sure that all checks pass
  • Bruno collection updated

@github-actions github-actions bot added type: source Changes business logic pkg: auth Changes in the GNAP auth package. labels May 7, 2024
@netlify Netlify
Copy link

netlify bot commented May 7, 2024
edited

Deploy Preview for brilliant-pasca-3e80ec ready!

Name Link
🔨 Latest commit dd78364
🔍 Latest deploy log https://app.netlify.com/sites/brilliant-pasca-3e80ec/deploys/664e5dd24653ce000923310a
😎 Deploy Preview https://deploy-preview-2709--brilliant-pasca-3e80ec.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@njlie njlie force-pushed the nl/2704/auth-admin-api-security branch from 3127c8b to b0aba23 Compare May 7, 2024 17:21
mkurapov
mkurapov reviewed May 8, 2024
View reviewed changes
bruno/collections/Rafiki/scripts.js Outdated Show resolved Hide resolved
bruno/collections/Rafiki/scripts.js Outdated Show resolved Hide resolved
packages/auth/src/shared/utils.ts Outdated Show resolved Hide resolved
packages/auth/src/config/app.ts Outdated Show resolved Hide resolved
@njlie njlie mentioned this pull request May 15, 2024
Open
@njlie njlie force-pushed the nl/2704/auth-admin-api-security branch from 7ea0902 to 5bd359b Compare May 16, 2024 21:42
@github-actions github-actions bot added the type: tests Testing related label May 21, 2024
@njlie njlie force-pushed the nl/2704/auth-admin-api-security branch from f75f811 to cc173b6 Compare May 22, 2024 21:03
mkurapov
mkurapov reviewed May 24, 2024
View reviewed changes
packages/auth/src/shared/utils.ts

async function canApiSignatureBeProcessed(
signature: string,
ctx: Context,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it would be good to type this Context such that we get the types for the services like redis and logger.

packages/auth/src/shared/utils.test.ts
const key = `signature:${signature}`
const op = redis.multi()
op.set(key, signature)
op.expire(key, signature)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should the expiry take in a num as the second argument?

packages/auth/src/shared/utils.ts
},
'time differential'
)
if (currentTime - signatureTime > ttlMilliseconds) return false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should add a test for this as well

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkurapov mkurapov mkurapov left review comments

@BlairCurrey BlairCurrey BlairCurrey approved these changes

@sabineschaller sabineschaller Awaiting requested review from sabineschaller

@JoblersTune JoblersTune Awaiting requested review from JoblersTune

@golobitch golobitch Awaiting requested review from golobitch

Assignees
No one assigned
Labels
pkg: auth Changes in the GNAP auth package. type: source Changes business logic type: tests Testing related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Secure Auth Server Admin API with signatures
4 participants
@njlie @BlairCurrey @mkurapov @golobitch