-
Notifications
You must be signed in to change notification settings - Fork 237
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement JWT authentication in REST API #1785
Conversation
✅ Deploy Preview for specter-desktop-docs ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
63e553e
to
5647ead
Compare
8ae4d93
to
82ad034
Compare
@k9ert can you review the changes? |
I've added some more comments. Please also fix the tests. Check the development documentation for something called |
142efd4
to
baf1c44
Compare
If there is no hiccup, this should now be green. I've also refined the documentation. @ankur12-1610 currently no need to do anything on your side other than maybe reviewing my changes in the documentation. |
Oh! @k9ert you updated the doc:sweat_smile:, I was doing it rn ;) Also in the updated version, we've not described python requests any reason for that:thinking:? Also the changes LGTM! |
Yeah, i was a bit impatient 😅
What's missing here ? |
Oh yeah it is correct I thought the same curl should be in python requests as well didn't see the line you mentioned which says in python requests we won't use Also there is a minor typo over here https://deploy-preview-1785--specter-desktop-docs.netlify.app/api/#python:~:text=%3Ctoken%3E%20and-,%3Ctoekn_id%3E, it should be |
Typo fixed. It might need an explanation: You don't "need" BasicAuth in python because we assume here, that people who are doing python are developing serious integration-solutions which are configurable. Configuration with a token which has been created upfront via ... remember: Ideally we should have done a frontend in order to create the token. We wanted to make it as simple as possible and therefore we skipped the UI and instead created an API endpoint for that as a first fix. However this (BasicAuth) endpoint should only be used by an administrator of Specter in order to create the token which they then configure in some other (python-) application. But an admin will use curl for that, not python. So that's the reason why we don't need the BasicAuth endpoint example in python (even though it would be possible). Or looking it from the other point of view: If you WOULD implement a configuration where you configure Username/Password into the python application and the python application is getting a token and using that one, then the whole exercise would have been completely useless and no security gains would be there. |
Got it, thanks for the info I didn't have any idea about this ;) |
We can soon merge this PR. I don't think there is anything left other than doing a normal bugfix release, probably on monday. Next week tuesday afternoon, we can merge this. |
There were some little changes of the rest api test in this #1920, I'd suggest to merge this PR first and then check whether the tests are still green (I guess so!) and then merge. |
@ankur12-1610 merged, thank you ! |
Congrats! @ankur12-1610 |
Yaaayy! 🎉 it was a great learning experience, thanks @k9ert and @moneymanolis 😄 |
This PR basically involves the implementation of JWT authentication in Specter's REST API, I've divided this PR into different milestones:
jwt_token
field in theUserMixin
/v1alpha/token
) which return thejwt_token
as the JSON response.BasicHTTPAuth
to the endpointsTokenHTTPAuth
on top of theBasicHTTPAuth
Demo (latest progress):
final-sob-demo.mp4