Add JWT auth via headers and RS256 signing option #146
Conversation
vayan
force-pushed
the
add-header-jwt-and-rs256-token
branch
3 times, most recently
from
c544821
to
03aa433
Compare
Codecov Report
@@ Coverage Diff @@
## master #146 +/- ##
==========================================
- Coverage 94.22% 93.43% -0.79%
==========================================
Files 29 23 -6
Lines 1333 1173 -160
==========================================
- Hits 1256 1096 -160
Misses 54 54
Partials 23 23Continue to review full report at Codecov.
|
It's more common to use JWT tokens via headers. (e.g: `Authorization Bearer token11`) Also added the RS256 signing method which is used a lot too.
vayan
force-pushed
the
add-header-jwt-and-rs256-token
branch
from
03aa433
to
f624e4f
Compare
pkg/config/env.go
Outdated
| @@ -90,4 +90,5 @@ var Config = struct { | |||
| JWTAuthSecret string `env:"FLAGR_JWT_AUTH_SECRET" envDefault:""` | |||
| JWTAuthNoTokenRedirectURL string `env:"FLAGR_JWT_AUTH_NO_TOKEN_REDIRECT_URL" envDefault:""` | |||
| JWTAuthUserProperty string `env:"FLAGR_JWT_AUTH_USER_PROPERTY" envDefault:"flagr_user"` | |||
| JWTAuthSigningMethod string `env:"FLAGR_JWT_AUTH_SIGNING_METHOD" envDefault:"HS256"` | |||
There was a problem hiding this comment.
Let's add a comment for possible values of signing methods.
The whole file will be served as the doc at https://checkr.github.io/flagr/#/flagr_env
There was a problem hiding this comment.
Also, can you help change the comments above of the pattern of how to use JWT auth?
There was a problem hiding this comment.
Sure! I missed this comment 👍
pkg/config/middleware_test.go
Outdated
| assert.Equal(t, http.StatusOK, res.Code) | ||
| }) | ||
|
|
||
| t.Run("it will pass if jwt enabled with correct HS256 token cookie and signing method is wrong", func(t *testing.T) { |
There was a problem hiding this comment.
nit: change to "it will pass with a correct HS256 token cookie when signing method is wrong and it defaults to empty string secret"
|
Thanks for the PR! Welcome to Flagr! Want to collect some feedback on how are you going to use Flagr, for example, are you building your own UI or simply run it through some generated clients? Changing to RS256 and sending through headers also requires some changes to the Flagr UI, but I guess you can put it in another pr. |
|
Related to #121 |
What changes need to be done?
I'm going to use Flagr using https://github.com/checkr/jsflagr on our backend and manual changes via the UI. |
Description
It's more common to use JWT tokens via headers. (e.g:
Authorization Bearer token11)Also added the RS256 signing method which is used a lot too.
By default everything works like before 👍
How Has This Been Tested?
Manual testing + lot of new UT
Types of changes
Checklist: