Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rework Endpoint authentication #2947

Merged
merged 1 commit into from
Aug 15, 2024
Merged

Conversation

987Nabil
Copy link
Contributor

@987Nabil 987Nabil commented Jul 8, 2024

@jdegoes This is still a draft, because I want some feedback, but have some tidy up work to do and add all auth options.

The idea behind the design is:

  • AuthType at Endpoint defines what kind of authorization header is expected
  • the server impl adds automatically a check for the existence of the authorization header and validates the format based on the set AuthType
  • creating client invocations requires to set the authorization header via one of our typed values Header.Authorization.XXX. Which of these is required is defined in AuthType.ClientRequirement

For documentation purposes, all auth related information should be part of AuthType. We could add here also meta information like scopes.

wdyt?

fixes #2888
/claim #2888


case object None extends AuthType { type ClientRequirement = Unit }
case object Basic extends AuthType { type ClientRequirement = Header.Authorization.Basic }
case object Bearer extends AuthType { type ClientRequirement = Header.Authorization.Bearer }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, there could the some more use cases:

  1. Custom header like X-API-Key. The header name can vary.
  2. Combination of multiple auth types: I have some endpoints that support both Bearer and X-API-Key.
  3. I don't have that kind of use case, but there might be needs for cookie based authentication, when the endpoint need to support plain web browsers.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the feedback. I want to get comments about the general design. But we can make auth type a FP DSL with fallback. And I want to add more options for sure. Maybe we can make it work that users can define custom auth types. We actually only need the ClientRequirement and a Codec fo the server. But this all depends on the authorization header.
A more generic solution would then also need to define the header type and the client requirement/codec would need to use this header type. This would still work. The question is, if it is worth the effort.

Copy link
Contributor

@guersam guersam Jul 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, take you time. I just wanted to inform my use cases that may affect the design e.g. multiple auth types, not to force you to add all the missing stuff right now 😅

In general, I think replacing endpoint middleware with dedicated auth input is way more practical, because it was alway difficult to imagine a general endpoint middleware that takes into account server, client, and documentation with necessary type juggling that may affect all the type members.

@987Nabil 987Nabil force-pushed the endpoint-auth-rework branch from bd4c27d to 45b8fbc Compare July 9, 2024 12:10
@swoogles
Copy link
Contributor

@jdegoes Is this still on your radar? If this is truly the last major issue blocking the final RC, it would be great to get @987Nabil some of the feedback he's looking for.

@jdegoes
Copy link
Member

jdegoes commented Aug 2, 2024

@987Nabil This is the sort of approach I was envisioning. It looks directionally correct and a big cleanup. Do you need any assistance with anything in particular?

@987Nabil
Copy link
Contributor Author

987Nabil commented Aug 3, 2024

@jdegoes I just wanted to know if I am walking the right path. I'll continue then and let you know when it is ready for review

@987Nabil 987Nabil force-pushed the endpoint-auth-rework branch 2 times, most recently from adc83b0 to 9c27ef9 Compare August 7, 2024 17:38
@987Nabil 987Nabil marked this pull request as ready for review August 7, 2024 17:39
@987Nabil 987Nabil requested review from jdegoes and vigoo as code owners August 7, 2024 17:39
@987Nabil 987Nabil force-pushed the endpoint-auth-rework branch 2 times, most recently from a43921f to 55b351f Compare August 7, 2024 20:34
@codecov-commenter
Copy link

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 52.52525% with 47 lines in your changes missing coverage. Please review.

Project coverage is 66.33%. Comparing base (e9f1c02) to head (55b351f).
Report is 31 commits behind head on main.

Files Patch % Lines
...ed/src/main/scala/zio/http/endpoint/Endpoint.scala 48.31% 46 Missing ⚠️
...ain/scala/zio/http/endpoint/EndpointExecutor.scala 75.00% 1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #2947      +/-   ##
==========================================
+ Coverage   64.78%   66.33%   +1.54%     
==========================================
  Files         157      154       -3     
  Lines        9395     9687     +292     
  Branches     1743     1799      +56     
==========================================
+ Hits         6087     6426     +339     
+ Misses       3308     3261      -47     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Copy link
Contributor

@guersam guersam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Brilliant!

@987Nabil 987Nabil force-pushed the endpoint-auth-rework branch from 55b351f to 6c57a94 Compare August 15, 2024 07:28
@jdegoes
Copy link
Member

jdegoes commented Aug 15, 2024

@987Nabil Going to merge. However, with an endpoint that requires authentication, it should be mandatory to supply the authentication information to the typesafe Endpoint client. This is not currently implemented, but I think it's a big enough PR to merge anyway.

@jdegoes jdegoes merged commit fe42b85 into zio:main Aug 15, 2024
34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Replace Endpoint middleware concept with Security concept
5 participants