Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth revamp #213

Merged
merged 7 commits into from
Jan 30, 2025
Merged

Auth revamp #213

merged 7 commits into from
Jan 30, 2025

Conversation

MasterKenth
Copy link
Contributor

@MasterKenth MasterKenth commented Jan 22, 2025
edited
Loading

New auth (Authentication + Authorization) system. Major points:

  • De-coupling and interfacing of authentication (login) and authorization (still uses part of old system for now)
  • Enable API-keys (loginless endpoint security)
  • Cleaner endpoint code for enabling auth
  • Using the new provided auth decorator, automatically handle auth-related results (400/401/403), with documentation for OpenAPI docs

Decorator

New decorator is opt-in. Create an object that wraps an existing APIRouter instance:

router = APIRouter(
    prefix="/api/auth",
    tags=["Auth Test"]
)
auth = AuthRouterDecorator(router)

Then substitute @router.X with @auth.X:

@auth.get(
    '/test',
    ['can_ask_questions'],
    summary='Test authentication/authorization endpoint',
    description='''This endpoint does nothing except showcase how auth endpoints work. 
    
It also serves as a code example of how to implement an endpoint with auth (see source code).''',
    response_model=AuthTestReturnModel,
    response_description='Success. Returns the authentication details.'
)
async def auth_test(auth_identity: AuthenticatedIdentity):
   ...

The second positional argument is the list of "scopes" (permissions) required for the endpoint.

Not all parameters of the @router decorator is exposed, but they can easily be added as needed in the future.

Optional auth_identity argument to endpoint function can be used to extract the identity for further use (similar to use cases of get_project_user from old code).

Authentication

Bearer tokens (users)

For now, user authentication uses the same system and login procedure as before (jwt bearer token through either a cookie or the WWW-Authenticate header).

API keys

API-keys can be provided to endpoints with the X-Api-Key header, e.g. X-Api-Key: fai-abcdef....

API keys can be created/list/revoked through the new API key CRUD api at /api/auth/apikey. Managing API keys requires the can_manage_api_keys scope.

After the results of the initial create call (POST /api/auth/apikey) the actual API key is never exposed again. Instead a key can only be revoked by using its revoke_id which is also provided in the result of the create call.

TODO/future

  • Limit scopes an API key can be created with to a subset of the scopes available of the calling identity DONE
  • Store hashed API keys in database instead to further limit possible exposure
  • Adopt for endpoints
  • Improve de-coupling of the implementation of IAuthorizationProvider

@MasterKenth MasterKenth changed the title Feat/auth revamp Auth revamp Jan 22, 2025
@MasterKenth MasterKenth marked this pull request as ready for review January 24, 2025 16:57
@dannil76 dannil76 self-requested a review January 29, 2025 13:52
@MasterKenth MasterKenth merged commit d74fe39 into master Jan 30, 2025
2 checks passed
@MasterKenth MasterKenth deleted the feat/auth-revamp branch January 30, 2025 10:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zilaei zilaei zilaei approved these changes

@dannil76 dannil76 Awaiting requested review from dannil76

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MasterKenth @zilaei