-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: do not sign requests that have optional auth #3671
Conversation
cfa01d4
to
4db8eda
Compare
4db8eda
to
b4debde
Compare
} | ||
rethrow; | ||
} | ||
// Do not attempt to sign requests where auth is optional. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// Do not attempt to sign requests where auth is optional. | |
// Do not attempt to sign requests where auth is optional. | |
// | |
// This is only set in Cognito and SSO services where the trait indicates | |
// that signing is strictly unnecessary and that signing the request does | |
// not impact the behavior of the APIs. |
Wondering if we should put a check in place in smithy_codegen which throws if we encounter an @optionalAuth
trait which is not in one of these services 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For example, we could add this to packages/smithy_codegen/lib/src/generate.dart
:
/// Asserts that the `@optionalAuth` trait is only present in Cognito and SSO
/// services, where we know the behavior is that signing is strictly unnecessary.
///
/// Any other services which onboard this trait must be validated for the same behavior
/// before we can generate for them.
class _AssertOptionalAuthVisitor extends CategoryShapeVisitor<Shape> {
const _AssertOptionalAuthVisitor();
/// The list of known services where `@optionalAuth` is present and its behavior has
/// been verified.
static const _knownServices = [
'com.amazonaws.cognitoidentity',
'com.amazonaws.cognitoidentityprovider',
'com.amazonaws.sso',
'com.amazonaws.ssooidc',
];
@override
EnumShape enumShape(EnumShape shape, [Shape? parent]) => shape;
@override
ListShape listShape(ListShape shape, [Shape? parent]) => shape;
@override
MapShape mapShape(MapShape shape, [Shape? parent]) => shape;
@override
MemberShape memberShape(MemberShape shape, [Shape? parent]) => shape;
@override
OperationShape operationShape(OperationShape shape, [Shape? parent]) {
if (shape.hasTrait<OptionalAuthTrait>() &&
!_knownServices.contains(shape.shapeId.namespace)) {
throw StateError(
'Shape has @optionalAuth but it is not from a validated service: '
'${shape.shapeId}',
);
}
return shape;
}
@override
ResourceShape resourceShape(ResourceShape shape, [Shape? parent]) => shape;
@override
ServiceShape serviceShape(ServiceShape shape, [Shape? parent]) => shape;
@override
SetShape setShape(SetShape shape, [Shape? parent]) => shape;
@override
SimpleShape simpleShape(SimpleShape shape, [Shape? parent]) => shape;
@override
StructureShape structureShape(StructureShape shape, [Shape? parent]) => shape;
@override
UnionShape unionShape(UnionShape shape, [Shape? parent]) => shape;
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updated the comment.
As for the check, I think we have to be able to assume traits mean the same thing across services. In this case "optionalAuth" means that signing the request is not required, has no impact on the behavior.
b4debde
to
3de7c25
Compare
3de7c25
to
a3294c0
Compare
await Amplify.Auth.getCurrentUser(); | ||
return true; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this throws if it can't get the user?
packages/auth/amplify_auth_cognito_test/test/state/sign_in_state_machine_test.dart
Outdated
Show resolved
Hide resolved
Co-authored-by: Dillon Nys <24740863+dnys1@users.noreply.github.com>
Issue #, if available:
Description of changes:
WithSigV4
to not sign requests that have optional authBy submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.