New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
9293 - New filter-based design for the API authentication mechanisms (1/2) #9303
Conversation
… authenticated & unauthenticated user)
…erRequestContext (2)
Sizing: Still in Draft so no sizing yet. |
…ndAuthMechanism initialization issue fix
… to an existing authenticated user
…r requests by handling filter-comming user instead of findUserOrDie method
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
examined all implementations in the auth package, new methods in AbstractApiBean such as getRequestUser(...) and getRequestAuthenticatedUserOrDie(...) which use ContainerRequestContext for parameters and are designed to replace findUserOrDie() and findAuthenticatedUserOrDie() and their use in DataSets API. Looks good
@GPortas Please refresh from develop due to version numbers changing. |
@GPortas So far, have tested 3 endpoints, gets JSON representation of dataset, publish dataset, create/get private url. They use getRequestUser and getRequestAuthenticatedUserOrDie. They continue to work with api token and workflow token but so far do not work with signed url, returns {"status":"ERROR","message":"Bad signed URL"}. There is no server log error. It works on develop branch with the same exact signed url. What I did to test signed url: Posted resulting url into a different browser, got metadata on develop branch, bad signed url on this pr. |
…L validation to fail
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Decoding issue causing signed url authentication to fail
What this PR does / why we need it:
This PR includes the refactoring changes for transitioning to the new filter-based design described in #9293 for the current API authentication mechanisms.
Due to the magnitude of the changes and in order not to overextend the revision work of this PR, I have decided to limit the scope of this PR in relation to issue #9293.
In particular, this PR covers the following points:
@Deprecated
, as well as any other methods in the AbstractApiBean class related to the old auth design.My idea for a next iteration is to evolve the rest of the API methods to use the new auth design so we can remove the old design logic (methods marked as
@Deprecated
in this PR).Which issue(s) this PR closes:
Partially completes #9293 but does not close it.
Special notes for your reviewer:
Not yet
Suggestions on how to test this:
The behavior of the API must be the same as before, so in addition to the automated IT tests, curl calls to the API using different types of credentials can be used to test the different auth mechanisms.
Does this PR introduce a user interface change? If mockups are available, please link/include them here:
No
Is there a release notes update needed for this change?:
Not sure
Additional documentation:
Not yet / Not sure