feat(GraphQL): Validate audience in authorization JWT and change Dgraph.Authorization format.
#5927
Conversation
Also removes forced exp check as claims.Valid performs this check, and exp is an optional claim according to spec.
github-actions
bot
added
the
area/graphql
arijitAD
requested review from
manishrjain,
MichaelJCompton,
pawanrawal and
vvbalaji-dgraph
as code owners
There was a problem hiding this comment.
Mostly looking good. Please make some changes and then can have another look before approving.
Reviewed 1 of 6 files at r1, 6 of 7 files at r2.
Reviewable status: all files reviewed, 4 unresolved discussions (waiting on @arijitAD and @MichaelJCompton)
graphql/authorization/auth.go, line 95 at r2 (raw file):
} fmt.Println("Falling back to parsing authorization information in old format.")
We don't need this and can tell the user that they need to upgrade their syntax.
Michael mentioned on Slack
also, do this -> if we have a parsing error on the auth, we have an error message like "Unable to parse Dgraph.Authorization. It may be that you are using a pre-release syntax. Please check at https://graphql.dgraph.io/authorization/."
10:42
That should cover anyone who's used a pre-release version and needs to update their syntax.
10:43
Obviously if it parses as json, but there's some other error, then we report the specific error because they must know the new syntax at that point.
graphql/authorization/auth.go, line 272 at r2 (raw file):
} return nil, errors.Errorf("couldn't parse signing method from token header: %s", algo) }, jwt.WithoutClaimsValidation())
Add a comment that library only supports comparing against one audience and we do this validation ourselves below.
testutil/graphql.go, line 203 at r2 (raw file):
func AppendAuthInfo(schema []byte, algo, publicKeyFile string) ([]byte, error) { if algo == "HS256" { authInfo := `# Dgraph.Authorization {"PublicKey":"secretkey","Header":"X-Test-Auth","Namespace":"https://xyz.io/jwt/claims","Algo":"HS256","Audience":["aud1","63do0q16n6ebjgkumu05kkeian","aud5"]}`
Check that JSON parsing works fine with spaces before and after the JSON.
testutil/graphql.go, line 203 at r2 (raw file):
func AppendAuthInfo(schema []byte, algo, publicKeyFile string) ([]byte, error) { if algo == "HS256" { authInfo := `# Dgraph.Authorization {"PublicKey":"secretkey","Header":"X-Test-Auth","Namespace":"https://xyz.io/jwt/claims","Algo":"HS256","Audience":["aud1","63do0q16n6ebjgkumu05kkeian","aud5"]}`
Change PublicKey to VerificationKey
|
|
There was a problem hiding this comment.
Reviewable status: 3 of 8 files reviewed, 4 unresolved discussions (waiting on @MichaelJCompton and @pawanrawal)
graphql/authorization/auth.go, line 95 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
We don't need this and can tell the user that they need to upgrade their syntax.
Michael mentioned on Slackalso, do this -> if we have a parsing error on the auth, we have an error message like "Unable to parse Dgraph.Authorization. It may be that you are using a pre-release syntax. Please check at https://graphql.dgraph.io/authorization/." 10:42 That should cover anyone who's used a pre-release version and needs to update their syntax. 10:43 Obviously if it parses as json, but there's some other error, then we report the specific error because they must know the new syntax at that point.
Done.
graphql/authorization/auth.go, line 272 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Add a comment that library only supports comparing against one audience and we do this validation ourselves below.
Done.
testutil/graphql.go, line 203 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Check that JSON parsing works fine with spaces before and after the JSON.
Test with spaces. It works.
testutil/graphql.go, line 203 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Change PublicKey to VerificationKey
Done.
There was a problem hiding this comment.
Reviewed 4 of 5 files at r3, 1 of 1 files at r4.
Reviewable status: all files reviewed, 3 unresolved discussions (waiting on @arijitAD and @MichaelJCompton)
graphql/authorization/auth.go, line 112 at r2 (raw file):
return meta, errors.Errorf("error while parsing jwt authorization info: %v", err) } idx := authMetaRegex.FindAllStringSubmatchIndex(authInfo, -1)
the authMetaRegex can be deleted as well now?
graphql/authorization/auth.go, line 93 at r4 (raw file):
return meta, fmt.Errorf("Unable to parse Dgraph.Authorization. " + " It may be that you are using the pre-release syntax. " + "Please check at https://graphql.dgraph.io/authorization/")
Please check the correct syntax at ...
graphql/schema/wrappers_test.go, line 985 at r4 (raw file):
nil, "", errors.New("Unable to parse Dgraph.Authorization. " +
nice
There was a problem hiding this comment.
Reviewable status: 6 of 8 files reviewed, 3 unresolved discussions (waiting on @MichaelJCompton and @pawanrawal)
graphql/authorization/auth.go, line 112 at r2 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
the authMetaRegex can be deleted as well now?
I have already deleted it.
graphql/authorization/auth.go, line 93 at r4 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
Please check the correct syntax at ...
Done.
graphql/schema/wrappers_test.go, line 985 at r4 (raw file):
Previously, pawanrawal (Pawan Rawal) wrote…
nice
Done.
|
@dpeek Can you sign CLA so that we can merge this PR. |
|
Hi @pawanrawal, sorry for radio silence – things got busy at work! I though I had signed the CLA already, but signed again. Still says pending though? |
Yes, it shows pending without which we cannot merge. |
|
Seems like it picked it up now, had to ask it to recheck :) |
…aph.Authorization` format. (hypermodeinc#5927) 1. Upgrades jwt-go to v4 to support multiple aud claims in JWT 2. Makes JWT token expiry field option in GraphQL. 3. Changes Dgraph.Authorization format. Co-authored-by: David Peek <mail@dpeek.com>
Fixes GRAPHQL-565
jwt-goto v4 to support multiple aud claims in JWT fix(GraphQL): Upgrade jwt-go to v4 to support multiple aud claims #5750Dgraph.Authorizationformat.The updated
Dgraph.Authorizationformat is as follows:# Dgraph.Authorization {"VerificationKey":"secretkey","Header":"X-Test-Auth","Namespace":"https://xyz.io/jwt/claims","Algo":"HS256"}This change is
Docs Preview: