Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New API auth mechanism for SPA frontend requests to APIs (developers only for now) #9063

Closed
pdurbin opened this issue Oct 14, 2022 · 4 comments · Fixed by #9290
Closed

New API auth mechanism for SPA frontend requests to APIs (developers only for now) #9063

pdurbin opened this issue Oct 14, 2022 · 4 comments · Fixed by #9290
Assignees
@GPortas
Labels
Feature: API NIH OTA: 1.7.1 (reArchitecture) 7 | 1.7.1 | Research & architecture for separating backend and frontend to enable a flexible, sca... pm.GREI-d-1.7.1 NIH, yr1, aim7, task1: Research & architecture for separating backend and frontend User Role: API User Makes use of APIs
Milestone
5.14

Comments

@pdurbin
Copy link
Member

pdurbin commented Oct 14, 2022

Overview of the Feature Request

In order to use a Single Page Application (SPA) architecture, the SPA (written in React, Vue, Angular, Web Components, etc.) needs to be able to authenticate against Dataverse APIs.

What kind of user is the feature intended for?

Frontend developers using React or similar.

What inspired the request?

https://github.com/GPortas/dataverse-react-poc by @GPortas relies on a fork of Dataverse at https://github.com/GPortas/dataverse/tree/session_api_auth that allows a JSESSIONID session cookie to be used to auth against the Dataverse APIs.

To use the words from the README:

"In particular, this PoC focuses on testing the following points:

  • New API auth mechanism using JSESSIONID cookie for new front-end requests to the Native API

It is necessary to locally deploy Dataverse with this branch: https://github.com/GPortas/dataverse/tree/session_api_auth

That branch has the JSESSIONID cookie Native API auth implemented, necessary for this PoC."

Any related code?

If we were to accept the changes as-is, they can be previewed here:

develop...GPortas:dataverse:session_api_auth

Any related open or closed issues?
@pdurbin pdurbin added Feature: API User Role: API User Makes use of APIs NIH OTA: 1.7.1 (reArchitecture) 7 | 1.7.1 | Research & architecture for separating backend and frontend to enable a flexible, sca... labels Oct 14, 2022
@qqmyers
Copy link
Member

qqmyers commented Oct 14, 2022

This can open any GET calls that have side effects to a CSRF issue - we should assure we don't have any or add other protections before we open the api to session cookies.

@pdurbin pdurbin changed the title Feature Request/Idea: New API auth mechanism for SPA frontend requests to APIs New API auth mechanism for SPA frontend requests to APIs (developers only for now) Jan 13, 2023
@pdurbin
Copy link
Member Author

pdurbin commented Jan 13, 2023

Today in an auth meeting I offered to create an issue but @GPortas just reminded me I already created this one! 😄

I just added "developers only for now" to emphasize that the new auth mechanism will be off by default and hidden behind a feature flag. Only developers will turn this on for now. Production installations should not turn it on due to CSRF (mentioned above) and possibly other security concerns. What we're trying to do is unblock development of a new React frontend.

@pdurbin
Copy link
Member Author

pdurbin commented Jan 13, 2023

@GPortas regarding the feature flag...

I pointed you toward this example which uses a database setting: https://guides.dataverse.org/en/5.12.1/installation/config.html#allowapitokenlookupviaapi

However, these days we're trying to use MPCONFIG (MicroProfile Config API) instead. @poikilotherm wrote extensive docs here: https://guides.dataverse.org/en/5.12.1/developers/configuration.html

I'm not sure the best example of an MPCONFIG setting for you to look at. Maybe Oliver can suggest a straightforward one.

This was referenced Jan 16, 2023
Merged
Closed
@GPortas GPortas self-assigned this Jan 18, 2023
@mreekie
Copy link

mreekie commented Jan 18, 2023

closed by #9290

@mreekie mreekie added the pm.GREI-d-1.7.1 NIH, yr1, aim7, task1: Research & architecture for separating backend and frontend label Mar 20, 2023
pdurbin added a commit to GPortas/dataverse that referenced this issue Mar 27, 2023
@pdurbin
add release note and expand feature flag description IQSS#9063
5eb13b0
pdurbin added a commit to GPortas/dataverse that referenced this issue Mar 28, 2023
@pdurbin
explain env vars IQSS#9063
9764188
@pdurbin pdurbin added this to the 5.14 milestone May 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@GPortas GPortas

Labels
Feature: API NIH OTA: 1.7.1 (reArchitecture) 7 | 1.7.1 | Research & architecture for separating backend and frontend to enable a flexible, sca... pm.GREI-d-1.7.1 NIH, yr1, aim7, task1: Research & architecture for separating backend and frontend User Role: API User Makes use of APIs
Projects
None yet
Milestone
5.14
Development

Successfully merging a pull request may close this issue.

9063 - add session API auth mechanism with feature flag GPortas/dataverse
4 participants
@pdurbin @qqmyers @GPortas @mreekie