Move API key to API user in to lower application auth checks #99
Labels
question
Further information is requested
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Observed behavior
An explict call is required to
Auth0Connection.linkApiKeyToApiUserto make sure the requesting API user matches the provded API key. This is currently only done inOtpUserController.preCreateHook, but is likely to be required in other parts of the application at a later date.Expected behavior
The API user to API key validation should take place as part of the initial user auth and not explicitly checked where required. This would allow additional functionality to be added without considerating the validation (as it would have already been carried out before hand).
Consideration needs to be taken where a user can be an API user and an OTP user. Rejecting a request because the x-api-key isn't privided or doesn't match the requesting API user may not be suitable because the user may in fact be making a request as a valid OTP user.
If the decision is made to invalidate an API user how should this be done? For instance, the API user held in
RequestingUsercould be set to null.Steps to reproduce the problem
N/A
Any special notes on configuration used
N/A
Version of otp-middleware and/or OpenTripPlanner if applicable (exact commit hash or branch name)
#84
The text was updated successfully, but these errors were encountered: