-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(users): setup user authentication methods schema and apis #4999
Conversation
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we encrypt auth_configs
in DB? It might contain merchant specific secrets.
migrations/2024-06-10-084722_create_org_authentication_table/up.sql
Outdated
Show resolved
Hide resolved
migrations/2024-06-10-084722_create_org_authentication_table/down.sql
Outdated
Show resolved
Hide resolved
migrations/2024-06-10-084722_create_org_authentication_table/up.sql
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we sure that we are going to create separate table to tenants?
migrations/2024-06-10-084722_create_org_authentication_table/up.sql
Outdated
Show resolved
Hide resolved
b6a1adc
to
ae64997
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where are we going to store totp_required
? Neither we have a column in the table nor AuthConfig
have any field for this.
migrations/2024-06-10-084722_create_user_authentication_methods_table/down.sql
Outdated
Show resolved
Hide resolved
@ThisIsMani for now we can assume |
…cker_compose.toml`
crates/router/src/core/user.rs
Outdated
state: SessionState, | ||
req: user_api::GetUserAuthenticationMethodsRequest, | ||
) -> UserResponse<Vec<user_api::UserAuthenticationMethodResponse>> { | ||
let user_auth_encryption_key = hex::decode( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should not do KMS decode every time, it will increase the latency and the cost. We can instead cache the decoded data.
Let's reconsider encrypting the whole config payload : Do we really need to encrypt the whole config data? Because the response needs only non sensitive data from config. By eliminating encryption part in non sensitive data, we can skip this decryption part and also the KMS part in this API.
pub struct AuthMethodDetails { | ||
#[serde(rename = "type")] | ||
pub auth_type: common_enums::UserAuthType, | ||
pub name: Option<OpenIdProvider>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not be forced to take OpenIdProvider
type.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can be changed to String
when we will add other cases, where name doesn't come from OpenIdProvider
pub enum Owner { | ||
Organization, | ||
Tenant, | ||
Internal, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What would be the owner_id
, in case on Owner::Internal
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can remove Internal
, or assign some id (hyperswitch
) if we think we encounter relevant use cases for this.
#[derive(router_derive::Setter, Clone, Debug, Insertable, router_derive::DebugAsDisplay)] | ||
#[diesel(table_name = user_authentication_methods)] | ||
pub struct UserAuthenticationMethodNew { | ||
pub id: String, | ||
pub auth_id: String, | ||
pub owner_id: String, | ||
pub owner_type: enums::Owner, | ||
pub auth_type: enums::UserAuthType, | ||
pub private_config: Option<Encryption>, | ||
pub public_config: Option<serde_json::Value>, | ||
pub allow_signup: bool, | ||
pub created_at: PrimitiveDateTime, | ||
pub last_modified_at: PrimitiveDateTime, | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the this type is exactly same as UserAuthenticationMethod
, then why is this struct required.
can't we put the required macros in UserAuthenticationMethod
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In our diesel models we have like this, we use Insertable
for new
type and use the other as response type. Better to keep this distinction between types and keep things consistent.
.change_context(UserErrors::InternalServerError) | ||
.attach_printable("Failed to decode DEK")?; | ||
|
||
let (private_config, public_config) = match req.auth_method { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
repeated code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can cover this along with constraint addition in upcoming PR
…ough-hyperswitch-cypress * 'main' of github.com:juspay/hyperswitch: feat(router): add support for googlepay step up flow (#2744) fix(access_token): use `merchant_connector_id` in access token (#5106) feat: added kafka events for authentication create and update (#4991) feat(ci): add vector to handle logs pipeline (#5021) feat(users): Decision manager flow changes for SSO (#4995) ci(cypress): Fix payment method id for non supported connectors (#5075) refactor(core): introduce an interface to switch between old and new connector integration implementations on the connectors (#5013) refactor(events): populate object identifiers in outgoing webhooks analytics events during retries (#5067) Refactor: [Fiserv] Remove Default Case Handling (#4767) chore(version): 2024.06.24.0 fix(router): avoid considering pre-routing results during `perform_session_token_routing` (#5076) refactor(redis): spawn one subscriber thread for handling all the published messages to different channel (#5064) feat(users): setup user authentication methods schema and apis (#4999) feat(payment_methods): Implement Process tracker workflow for Payment method Status update (#4668) chore(version): 2024.06.20.1 chore(postman): update Postman collection files fix(payment_methods): support last used for off session token payments (#5039) ci(postman): add net_amount field test cases (#3286) refactor(connector): [Mifinity]dynamic fields for mifinity (#5056) refactor(payment_method): [Klarna] store and populate payment_type for klarna_sdk Paylater in response (#4956)
Type of Change
Description
The PR:
Additional Changes
config/config.example.toml
config/deployments/env_specific.toml
config/development.toml
config/docker_compose.toml
Motivation and Context
Closes #4998
How did you test it?
To create authentication method, ( auth is admin_api_key only):
Response: 200 OK if auth method got created successfully.
To update
Response will be 200 OK for success full auth config update
To get list of authentication methods
Response
Checklist
cargo +nightly fmt --all
cargo clippy