Skip to content

Commit

Permalink
feat: allow api token middleware to fetch from db (#6344)
Browse files Browse the repository at this point in the history 
## About the changes
When edge is configured to automatically generate tokens, it requires
the token to be present in all unleash instances.
It's behind a flag which enables us to turn it on on a case by case
scenario.

The risk of this implementation is that we'd be adding load to the
database in the middleware that evaluates tokens (which are present in
mostly all our API calls. We only query when the token is missing but
because the /client and /frontend endpoints which will be the affected
ones are high throughput, we want to be extra careful to avoid DDoSing
ourselves

## Alternatives:
One alternative would be that we merge the two endpoints into one.
Currently, Edge does the following:
If the token is not valid, it tries to create a token using a service
account token and /api/admin/create-token endpoint. Then it uses the
token generated (which is returned from the prior endpoint) to query
/api/frontend. What if we could call /api/frontend with the same service
account we use to create the token? It may sound risky but if the same
application holding the service account token with permission to create
a token, can call /api/frontend via the generated token, shouldn't it be
able to call the endpoint directly?

The purpose of the token is authentication and authorization. With the
two tokens we are authenticating the same app with 2 different
authorization scopes, but because it's the same app we are
authenticating, can't we just use one token and assume that the app has
both scopes?

If the service account already has permissions to create a token and
then use that token for further actions, allowing it to directly call
/api/frontend does not necessarily introduce new security risks. The
only risk is allowing the app to generate new tokens. Which leads to the
third alternative: should we just remove this option from edge?
  • Loading branch information
@gastonfournier
gastonfournier committed Feb 27, 2024
1 parent b738a2a commit 70499dc
Show file tree
Hide file tree
Showing 7 changed files with 101 additions and 9 deletions.
1 change: 1 addition & 0 deletions src/lib/__snapshots__/create-config.test.ts.snap
View file
Expand Up @@ -132,6 +132,7 @@ exports[`should create default config 1`] = `
"newStrategyConfigurationFeedback": false,
"personalAccessTokensKillSwitch": false,
"proPlanAutoCharge": false,
"queryMissingTokens": false,
"responseTimeWithAppNameKillSwitch": false,
"scimApi": false,
"sdkReporting": false,
Expand Down
22 changes: 20 additions & 2 deletions src/lib/middleware/api-token-middleware.ts
View file
Expand Up @@ -2,6 +2,7 @@ import { ApiTokenType } from '../types/models/api-token';
import { IUnleashConfig } from '../types/option';
import { IApiRequest, IAuthRequest } from '../routes/unleash-types';
import { IUnleashServices } from '../server-impl';
import { IFlagContext } from '../types';

const isClientApi = ({ path }) => {
return path && path.indexOf('/api/client') > -1;
Expand All @@ -26,6 +27,20 @@ const isProxyApi = ({ path }) => {
);
};

const contextFrom = (
req: IAuthRequest<any, any, any, any> | IApiRequest<any, any, any, any>,
): IFlagContext | undefined => {
// this is what we'd get from edge:
// req_path: '/api/client/features',
// req_user_agent: 'unleash-edge-16.0.4'
return {
reqPath: req.path,
reqUserAgent: req.get ? req.get('User-Agent') ?? '' : '',
reqAppName:
req.headers?.['unleash-appname'] ?? req.query?.appName ?? '',
};
};

export const TOKEN_TYPE_ERROR_MESSAGE =
'invalid token: expected a different token type for this endpoint';

Expand All @@ -46,7 +61,7 @@ const apiAccessMiddleware = (
return (req, res, next) => next();
}

return (req: IAuthRequest | IApiRequest, res, next) => {
return async (req: IAuthRequest | IApiRequest, res, next) => {
if (req.user) {
return next();
}
Expand All @@ -55,7 +70,10 @@ const apiAccessMiddleware = (
const apiToken = req.header('authorization');
if (!apiToken?.startsWith('user:')) {
const apiUser = apiToken
? apiTokenService.getUserForToken(apiToken)
? await apiTokenService.getUserForToken(
apiToken,
contextFrom(req),
)
: undefined;
const { CLIENT, FRONTEND } = ApiTokenType;

Expand Down
60 changes: 57 additions & 3 deletions src/lib/services/api-token-service.test.ts
View file
@@ -1,6 +1,6 @@
import { ApiTokenService } from './api-token-service';
import { createTestConfig } from '../../test/config/test-config';
import { IUnleashConfig, IUser } from '../server-impl';
import { IUnleashConfig, IUnleashOptions, IUser } from '../server-impl';
import { ApiTokenType, IApiTokenCreate } from '../types/models/api-token';
import FakeApiTokenStore from '../../test/fixtures/fake-api-token-store';
import FakeEnvironmentStore from '../features/project-environments/fake-environment-store';
Expand Down Expand Up @@ -95,7 +95,7 @@ test("Shouldn't return frontend token when secret is undefined", async () => {
await apiTokenService.createApiTokenWithProjects(token);
await apiTokenService.fetchActiveTokens();

expect(apiTokenService.getUserForToken('')).toEqual(undefined);
expect(await apiTokenService.getUserForToken('')).toEqual(undefined);
});

test('Api token operations should all have events attached', async () => {
Expand Down Expand Up @@ -185,8 +185,62 @@ test('getUserForToken should get a user with admin token user id and token name'
ADMIN_TOKEN_USER as IUser,
);

const user = tokenService.getUserForToken(token.secret);
const user = await tokenService.getUserForToken(token.secret);
expect(user).toBeDefined();
expect(user!.username).toBe(token.tokenName);
expect(user!.internalAdminTokenUserId).toBe(ADMIN_TOKEN_USER.id);
});

describe('When token is added by another instance', () => {
const setup = (options?: IUnleashOptions) => {
const token: IApiTokenCreate = {
environment: 'default',
projects: ['*'],
secret: '*:*:some-random-string',
type: ApiTokenType.CLIENT,
tokenName: 'new-token-by-another-instance',
expiresAt: undefined,
};

const config: IUnleashConfig = createTestConfig(options);
const apiTokenStore = new FakeApiTokenStore();
const environmentStore = new FakeEnvironmentStore();

const apiTokenService = new ApiTokenService(
{ apiTokenStore, environmentStore },
config,
createFakeEventsService(config),
);
return {
apiTokenService,
apiTokenStore,
token,
};
};
test('should not return the token when query db flag is disabled', async () => {
const { apiTokenService, apiTokenStore, token } = setup();

// simulate this token being inserted by another instance (apiTokenService does not know about it)
apiTokenStore.insert(token);

const found = await apiTokenService.getUserForToken(token.secret);
expect(found).toBeUndefined();
});

test('should return the token when query db flag is enabled', async () => {
const { apiTokenService, apiTokenStore, token } = setup({
experimental: {
flags: {
queryMissingTokens: true,
},
},
});

// simulate this token being inserted by another instance (apiTokenService does not know about it)
apiTokenStore.insert(token);

const found = await apiTokenService.getUserForToken(token.secret);
expect(found).toBeDefined();
expect(found?.username).toBe(token.tokenName);
});
});
16 changes: 15 additions & 1 deletion src/lib/services/api-token-service.ts
View file
Expand Up @@ -24,6 +24,7 @@ import {
ApiTokenCreatedEvent,
ApiTokenDeletedEvent,
ApiTokenUpdatedEvent,
IFlagContext,
IFlagResolver,
IUser,
SYSTEM_USER,
Expand Down Expand Up @@ -160,7 +161,10 @@ export class ApiTokenService {
}
}

public getUserForToken(secret: string): IApiUser | undefined {
public async getUserForToken(
secret: string,
flagContext?: IFlagContext, // temporarily added, expected from the middleware
): Promise<IApiUser | undefined> {
if (!secret) {
return undefined;
}
Expand All @@ -181,6 +185,16 @@ export class ApiTokenService {
);
}

if (
!token &&
this.flagResolver.isEnabled('queryMissingTokens', flagContext)
) {
token = await this.store.get(secret);
if (token) {
this.activeTokens.push(token);
}
}

if (token) {
this.lastSeenSecrets.add(token.secret);
const apiUser: IApiUser = new ApiUser({
Expand Down
5 changes: 5 additions & 0 deletions src/lib/types/experimental.ts
View file
Expand Up @@ -47,6 +47,7 @@ export type IFlagKey =
| 'inMemoryScheduledChangeRequests'
| 'collectTrafficDataUsage'
| 'useMemoizedActiveTokens'
| 'queryMissingTokens'
| 'userAccessUIEnabled'
| 'disableUpdateMaxRevisionId'
| 'disablePublishUnannouncedEvents'
Expand Down Expand Up @@ -248,6 +249,10 @@ const flags: IFlags = {
process.env.UNLEASH_EXPERIMENTAL_DISABLE_SCHEDULED_CACHES,
false,
),
queryMissingTokens: parseEnvVarBoolean(
process.env.UNLEASH_EXPERIMENTAL_QUERY_MISSING_TOKENS,
false,
),
scimApi: parseEnvVarBoolean(
process.env.UNLEASH_EXPERIMENTAL_SCIM_API,
false,
Expand Down
4 changes: 2 additions & 2 deletions src/test/e2e/services/api-token-service.e2e.test.ts
View file
Expand Up @@ -200,8 +200,8 @@ test('should return user with multiple projects', async () => {
environment: DEFAULT_ENV,
});

const multiProjectUser = apiTokenService.getUserForToken(secret1);
const singleProjectUser = apiTokenService.getUserForToken(secret2);
const multiProjectUser = await apiTokenService.getUserForToken(secret1);
const singleProjectUser = await apiTokenService.getUserForToken(secret2);

expect(multiProjectUser!.projects).toStrictEqual([
'test-project',
Expand Down
2 changes: 1 addition & 1 deletion website/docs/reference/front-end-api.md
View file
Expand Up @@ -42,7 +42,7 @@ The client needs to point to the correct API endpoint. The front-end API is avai

### API token

You can create appropriate token, with type `FRONTEND` on `<YOUR_UNLEASH_URL>/admin/api/create-token` page or with a request to `/api/admin/api-tokens`. See our guide on [how to create API tokens](../how-to/how-to-create-api-tokens.mdx) for more details.
You can create appropriate token, with type `FRONTEND` on `<YOUR_UNLEASH_URL>/api/admin/create-token` page or with a request to `/api/admin/api-tokens`. See our guide on [how to create API tokens](../how-to/how-to-create-api-tokens.mdx) for more details.

### Refresh interval for tokens

Expand Down

0 comments on commit 70499dc

Please sign in to comment.