Auth integration - Now authentication is extracted from kalamdb and more into the oidc your using#215
Merged
Merged
Conversation
Introduce a full feature spec for the User ID-only auth cutover: adds specs/028-auth-integration (spec.md, plan.md, data-model.md, research.md, quickstart.md, tasks.md, checklist, and contracts for HTTP, link models, and SQL identity). Update development guidelines (.github/agents/copilot-instructions.md) to reference the new auth integration and Rust 1.92+ details, and expand .gitignore with several link/kalam-client wasm size artifacts.
Standardize user/password naming across API, CLI, docs and examples (field/flag renamed from `username`/`--username` to `user`/`--user`). Harden authentication: WebSocket AuthSuccess now carries `user` and a typed Role enum, and bearer token authentication rejects tokens whose claimed role doesn't match the stored user role. SDK/client auth surfaces moved toward an authProvider model (remove anonymous/no-auth type, treat Auth.basic as a login bootstrap only and require JWT for protected requests), TypeScript auth types updated, and client initialization/login logic adjusted accordingly. Other cleanups: minor renames and refactors (impersonation resolved_user variable), user model column ordinals reordered, subscription helper changed to allow subscribing without initial data, and tests/docs/examples updated (including a new test asserting stale elevated bearer tokens are rejected).
Bump DataFusion-related crates to 53.1 and add datafusion-functions-json dependency. Add audit logging for admin UI logins (new audit module and login handler call). Improve error handling and sanitization: add SQL error classification and safe response builders for SQL execution paths, refactor auth error mapping and add unit tests to ensure sensitive auth failures are redacted. Add healthcheck unit tests and small refactors/import reorderings across API modules.
Add nested list support to Arrow->JSON conversion (List/LargeList/FixedSizeList) with helper nested_array_to_json and unit test. Relax a timing assertion in executor tests. Improve benchv2 to run SQL across all client URLs: add run_sql_ok_on_all_urls, insert_checkpoint_probe_rows, live_query_count_across_urls and migrate existing bench logic to use them; adjust loopback bind behavior to avoid pinning when single address. Enhance CLI test auto-start server lifecycle with shared state, file/lock-based leases, PID handling, cleanup registration, and robust start/stop (persistent state file, custom data dir creation, pid tracking, higher auth rate limit). Expose topics.visibility_timeout_secs and add local frontend origins to server examples. Add test allocator & conversion stats scaffolding and small pg conversion optimizations (use rust_str_to_text_p, record conversion metrics); update pgrx test setup to include e2e feature. Update TypeScript E2E tests to use wait-for helpers and bump local package versions. Add new pg e2e_perf conversion test file.
Make CI config edits more robust and tune cross-aarch64 CI environment: - Use extended sed regexes in .github/workflows/release.yml to replace numeric limits (max_queries_per_sec and max_messages_per_sec) by matching any digits instead of exact values, avoiding brittle substitutions. - Update smoke test (smoke_test_topic_high_load.rs) to import and use the server's default topic visibility timeout helper (default_topic_visibility_timeout_secs) instead of a hardcoded fallback, and adjust comment to match behavior. This makes the test align with server config and avoid arbitrary magic values. - Disable NumKong ARM SDOT/SVE-SDOT probes in tools/Dockerfile.cross-aarch64 by setting NK_TARGET_NEONSDOT=0 and NK_TARGET_SVESDOT=0 with an explanatory comment, working around GCC 10 cross-toolchain compilation issues for CI until the toolchain is upgraded.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces several improvements and refactorings related to authentication, dependency updates, and test coverage. The most significant changes include refactoring the login flow to use a canonical
useridentifier instead ofusername, adding audit logging for admin logins, improving error handling and test coverage for authentication errors, and updating multiple dependencies for security and feature support.userfield instead ofusernameinLoginRequest, including validation and renaming throughout the codebase.These changes collectively improve authentication security, auditability, and maintainability, while keeping dependencies up to date.