Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Multi-Tenant] Use http-signatures to determine tenant identity during requests #2928

Open
2 tasks
Tracked by #2893
njlie opened this issue Aug 30, 2024 · 0 comments · May be fixed by #3164
Open
2 tasks
Tracked by #2893

[Multi-Tenant] Use http-signatures to determine tenant identity during requests #2928

njlie opened this issue Aug 30, 2024 · 0 comments · May be fixed by #3164
Assignees
Labels
pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package.

Comments

@njlie
Copy link
Contributor

njlie commented Aug 30, 2024

During tenanted Admin GraphQL requests, the server should leverage the existing http-signature signing scheme to determine if the requester is a particular tenant. This should be achieved through the following:

  • GraphQL requests should be augmented with a tenantId in the header.
  • A middleware on the Admin GraphQL server should use this header to retrieve the apiSecret on the associated entry in the tenants table.
  • This middleware should then construct a signature with the apiSecret it retrieved and either accept or reject the request based on if the signature is valid.
  • If the request is accepted, the subsequent business logic should use the tenantId provided in the header as part of its input.

We might want to also allow signatures generated using the ADMIN_API_SECRET environment variable to be used as valid authentication, as way for operators to identify themselves.

  • Update Admin API middleware to expect tenantId in header during request
  • Update Admin API middleware to call signature verification method that constructs signature from a tenant's apiSecret, throw if invalid

Prerequisites:

@github-project-automation github-project-automation bot moved this to Backlog in Rafiki Aug 30, 2024
@njlie njlie mentioned this issue Aug 30, 2024
38 tasks
@njlie njlie added pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package. labels Oct 18, 2024
@njlie njlie changed the title Create API Key or long-lived session token for Admin API [Multi-Tenant] Create API Key or long-lived session token for Admin API Nov 19, 2024
@njlie njlie changed the title [Multi-Tenant] Create API Key or long-lived session token for Admin API [Multi-Tenant] Use http-signatures to determine tenant identity during requests Nov 19, 2024
@njlie njlie moved this from Backlog to Todo in Rafiki Nov 25, 2024
@njlie njlie moved this from Todo to In Progress in Rafiki Dec 2, 2024
@njlie njlie linked a pull request Dec 6, 2024 that will close this issue
6 tasks
@koekiebox koekiebox moved this from In Progress to Ready for Review in Rafiki Dec 9, 2024
@koekiebox koekiebox moved this from Ready for Review to In Progress in Rafiki Dec 9, 2024
@njlie njlie moved this from In Progress to Ready for Review in Rafiki Dec 9, 2024
@mkurapov mkurapov linked a pull request Dec 9, 2024 that will close this issue
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package.
Projects
Status: Ready for Review
Development

Successfully merging a pull request may close this issue.

1 participant