-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG]: Thin client imports #2466
Changes from all commits
7add6f5
f9b2144
ba32c0f
38560ae
f9196b5
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,10 +5,9 @@ | |
import time | ||
import traceback | ||
from enum import Enum | ||
from starlette.datastructures import Headers | ||
from typing import cast, Dict, List, Optional, TypedDict, TypeVar | ||
|
||
from fastapi import HTTPException | ||
|
||
from overrides import override | ||
from pydantic import SecretStr | ||
import yaml | ||
|
@@ -191,13 +190,13 @@ def __init__(self, system: System) -> None: | |
"TokenAuthenticationServerProvider.authenticate", OpenTelemetryGranularity.ALL | ||
) | ||
@override | ||
def authenticate_or_raise(self, headers: Headers) -> UserIdentity: | ||
def authenticate_or_raise(self, headers: Dict[str, str]) -> UserIdentity: | ||
try: | ||
if self._token_transport_header.value not in headers: | ||
if self._token_transport_header.value.lower() not in headers.keys(): | ||
raise AuthError( | ||
f"Authorization header '{self._token_transport_header.value}' not found" | ||
) | ||
token = headers[self._token_transport_header.value] | ||
token = headers[self._token_transport_header.value.lower()] | ||
if self._token_transport_header == TokenTransportHeader.AUTHORIZATION: | ||
if not token.startswith("Bearer "): | ||
raise AuthError("Bearer not found in Authorization header") | ||
|
@@ -232,4 +231,6 @@ def authenticate_or_raise(self, headers: Headers) -> UserIdentity: | |
time.sleep( | ||
random.uniform(0.001, 0.005) | ||
) # add some jitter to avoid timing attacks | ||
from fastapi import HTTPException | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we really want to import in the hot path here? Why do we need this change? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's a good point. I had it initially in the There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
|
||
raise HTTPException(status_code=403, detail="Forbidden") |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -341,7 +341,7 @@ def auth_and_get_tenant_and_database_for_request( | |
if not self.authn_provider: | ||
return (tenant, database) | ||
|
||
user_identity = self.authn_provider.authenticate_or_raise(headers) | ||
user_identity = self.authn_provider.authenticate_or_raise(dict(headers)) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. why this change? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is to fix a header check that was previously |
||
|
||
( | ||
new_tenant, | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a breaking change for anyone overriding auth. We should be more careful here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. But the use of
starlette
andfastapi
here was already a breaking change for the thin client, which did not require (or import) either of those. Technically, duck-typing helps us here too.