saveourtool/save-cloud
Auf GitHub ansehenEnhance authorization and authentication in save-cloud
Open
#2.336 geöffnet am 14. Juli 2023
authhelp wantedvulnerabilities
Repository-Metriken
- Stars
- (38 Stars)
- PR-Merge-Metriken
- (PR-Metriken ausstehend)
Beschreibung
TODO:
- test API after changing
- #2386
- refactor
BackendServiceand receive save's entity\class instead of spring's one to allow to provide ID - refactor
api-gatewayandauthentication-serviceto pass user's ID from api-gateway instead of second fetch to database inauthentication-service's logic - removed using
Authentication: Basic ***:***inauthentication-service-- we can create save's token with required info without checkingReactiveUserDetailsService. We can try to useorg.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken. It can be easy to migrate to X.509 authentication in future
- refactor
- Update swagger\open-api annotations:
- remove
com.saveourtool.save.configs.RequiresAuthorizationSourceHeaderor maybe leave because it's useful for local testing - update
com.saveourtool.save.configs.ApiSwaggerSupport, we support oauth2 and basic auth
- remove
- cover by tests
- #2407
- #2631
- #2629
- #2633
- #2540
Separator for user and auth provider should be revised
For now we are using @ for separate the user name and auth provider at least in WebSecurityConfig and in UserUtils.kt
But this symbol is not the variable and just the hardcoded symbol, so its hard to maintain this functionality
First of all, it should be extracted into the variable in save-cloud-common
And after this, we probably will need to change @ to something else, since @ is too dangerous to be a spec symbol
This work should be done under separate issue and very carefully, since it influence on core functionality - API application, auth. integration tests, db