Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect API endpoints with token auth middleware #62

Merged
merged 9 commits into from
Mar 21, 2024
Merged

Protect API endpoints with token auth middleware #62

merged 9 commits into from
Mar 21, 2024

Conversation

cameronkinsella
Copy link
Contributor

@cameronkinsella cameronkinsella commented Mar 19, 2024
edited
Loading

Protects most endpoints with token auth. The only endpoints not protected are the ones required for login, where the user does not yet have an auth token.

Since endpoints now require authentication, you will need to add a Bearer Token type Authorization header if you are testing endpoints in something like Postman. To obtain a token, you can:

  1. Click the Copy Token button while logged in as an admin (dev or prod).
    image
  2. Copy the token that is created and logged when the backend server starts (dev only).
    image
  3. Copy the value of your jwt cookie while logged in as an admin (dev or prod)
    image

The token auth verifier will check for both cookie or bearer token, so if you are already logged in as an admin then you can access GET endpoints just by visiting their URL.

The following frontend functionality has been tested and is not broken:

  • Create user
  • Delete user
  • Add new key
  • Revoke keys
  • User registration
  • User login/logout
  • Create/Edit role
  • Update user roles
  • Door auth with passkey

@cameronkinsella cameronkinsella marked this pull request as ready for review March 20, 2024 03:02
@cameronkinsella cameronkinsella force-pushed the dev/api-protection branch 4 times, most recently from ff2ad8b to 8816d93 Compare March 20, 2024 09:45
@cameronkinsella
Copy link
Contributor Author

cameronkinsella commented Mar 20, 2024
edited
Loading

Added a settings modal. It can be opened by clicking on the cog icon on the top right. It currently only contains the logout option and (if the user is an admin) the option to copy their access token. Feel free to adjust the look and feel of these components.

I also added a disclaimer to educate the user about misuse of the access token. They must acknowledge this disclaimer before they are able to copy the token. The disclaimer is a bit long, so it becomes scrollable if the max height for it is reached.

output.mp4

@AdrianJendo
Copy link
Contributor

Added a settings modal. It can be opened by clicking on the cog icon on the top right. It currently only contains the logout option and (if the user is an admin) the option to copy their access token. Feel free to adjust the look and feel of these components.

I also added a disclaimer to educate the user about misuse of the access token. They must acknowledge this disclaimer before they are able to copy the token. The disclaimer is a bit long, so it becomes scrollable if the max height for it is reached.

output.mp4

I'm not going to approve this. I don't think this is good UI / UX and adding this token does nothing beneficial for our symposium.

AdrianJendo
AdrianJendo reviewed Mar 20, 2024
View reviewed changes
frontend/src/components/navbar/navbar.module.css Outdated Show resolved Hide resolved
frontend/src/app/admin/settings/tokenConfirmation/page.tsx Outdated Show resolved Hide resolved
frontend/src/app/admin/settings/page.tsx Outdated Show resolved Hide resolved
backend/server.go Outdated Show resolved Hide resolved
backend/middleware/auth.go Outdated Show resolved Hide resolved
backend/routes/webAuthn.go Show resolved Hide resolved
@cameronkinsella
Copy link
Contributor Author

Reverted settings modal and moved the access token dialogue to replace the logged in admin's self-delete button.
The button works the same as the video above.

image

AdrianJendo
AdrianJendo reviewed Mar 21, 2024
View reviewed changes
frontend/src/app/admin/settingsModal/tokenConfirmation/page.tsx Outdated
Comment on lines 17 to 18
title="Settings"
content={Confirmation()}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is "Settings" the correct title? Also I don't think the brackets are necessary

Copy link
Contributor Author

@cameronkinsella cameronkinsella Mar 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed the title to "Warning". The brackets on Confirmation are necessary because content expects an Element and Confirmation is () => Element.

frontend/src/components/navbar/navbar.module.css Outdated Show resolved Hide resolved
@cameronkinsella
Remove overflow CSS for token dialogue
82b4413 
Now that modals are scrollable, this is not necessary.
@cameronkinsella cameronkinsella merged commit 82b4413 into master Mar 21, 2024
3 checks passed
@cameronkinsella cameronkinsella deleted the dev/api-protection branch March 21, 2024 02:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AdrianJendo AdrianJendo AdrianJendo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cameronkinsella @AdrianJendo