Thanks to visit codestin.com
Credit goes to github.com

Skip to content

http: check requests for auth using tokens from eyre #5973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
belisarius222 merged 4 commits into from
Feb 17, 2023
Merged

http: check requests for auth using tokens from eyre #5973

belisarius222 merged 4 commits into from
Feb 17, 2023

Conversation

@Fang-
Copy link
Collaborator

@Fang- Fang- commented Aug 24, 2022

Preparatory work for part of #5927, but these changes can go in on their own.

Adds a %sessions gift to eyre that it uses to send a set of valid session tokens to then runtime, both on-%born and whenever that set changes.

Updates http.c to accept those gifts, and use them for checking authentication on the /~_~/slog printf stream endpoint by reading the cookie header, if any.
Previously it used a clunky scry that put the full cookie string in the path. We should probably consider that scry endpoint deprecated now.

@joemfb perhaps you want these commits as separate PRs?

Fang- added 2 commits August 24, 2022 00:34
@Fang-
eyre: send valid auth tokens to the runtime
9c3c2b1 
Whenever a session gets created or removed, send the set of valid auth
tokens to the runtime, so that it may use them in determining whether
incoming requests are authenticated or not.
@Fang-
http: check requests for auth using eyre's tokens
aa20b55 
Accept the newly added %session effect. Store the tokens received in it,
and refer back to them when checking requests for authentication.

Adds logic for checking requests for authentication based on the
presence of a valid urbauth cookie for the host ship, and updated the
slogstream endpoint to use that instead of the scry-based authentication
check.
@Fang- Fang- requested a review from joemfb August 24, 2022 14:54
joemfb
joemfb reviewed Aug 24, 2022
View reviewed changes
Copy link
Collaborator

@joemfb joemfb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes look reasonable to me. I still need to take a closer look at a couple parts. But I have some notes about releasing stuff like this:

This changes the external vane interface, and therefore requires a kelvin. The change is also required; slog streams will stop working on ships with a new binary and an old arvo, as the set of authentication tokens will be null. (Required in some sense, it's not a major feature.) So we can release the vere changes early, without adding a fallback to the authentication scry.

There's also the basic question of where to put changes like this (ie, "pending next kelvin bump"). I think we probably don't want it on next/arvo, but I'm not sure where it should go.

/cc @philipcmonk

@Fang-
tests: expect new %sessions gift in eyre tests
eee0484 
Also adds a dedicated %born test to check if it sends a %sessions gift,
and refactors %init and %born running into separate arms to cut down on
repetition.
@Fang- Fang- mentioned this pull request Nov 15, 2022
Merged
@jalehman
Copy link
Collaborator

jalehman commented Feb 6, 2023

This now requires two PRs. @Fang- will cherrypick the vere-related commits off of this to urbit/vere.

@Fang- Fang- mentioned this pull request Feb 6, 2023
Merged
@jalehman
Copy link
Collaborator

jalehman commented Feb 15, 2023

@Fang- is this ready to be reviewed? It looks like it, now that the C code is gone.

@Fang- Fang- requested a review from belisarius222 February 17, 2023 12:35
@Fang-
Copy link
Collaborator Author

Fang- commented Feb 17, 2023

Yes. This should be fine to go in before/independently of urbit/vere#199, which I still need to address the feedback on. I don't think anything there should affect the interface implemented here.

@belisarius222 belisarius222 merged commit 61d32b5 into develop Feb 17, 2023
@belisarius222 belisarius222 deleted the m/http-auth-tokens branch February 17, 2023 14:09
pkova added a commit that referenced this pull request Feb 28, 2023
@pkova
Revert "Merge pull request #5973 from urbit/m/http-auth-tokens"
bc521fa 
This reverts commit 61d32b5, reversing
changes made to b271d5e.
Fang- added a commit to urbit/vere that referenced this pull request Mar 1, 2023
@Fang-
http: check requests for auth using eyre's tokens (#199)
363fba6 
Cherry-picked over from urbit/urbit#5973. Depends on the eyre-side
change there, so this will be part of a kelvin update.

Accept the newly added `%session` effect in the http io driver. Store
the tokens received in it, and refer back to them when checking requests
for authentication.

Adds logic for checking requests for authentication based on the
presence of a valid urbauth cookie for the host ship, and updates the
slogstream endpoint to use that instead of the scry-based authentication
check.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joemfb joemfb joemfb left review comments

@belisarius222 belisarius222 belisarius222 approved these changes

Assignees

No one assigned

Labels

eyre vere

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Fang- @jalehman @joemfb @belisarius222