saveourtool/save-cloud

Enhance authorization and authentication in save-cloud

Open

#2.336 aberto em 14 de jul. de 2023

Ver no GitHub
 (9 comments) (0 reactions) (2 assignees)Kotlin (4 forks)github user discovery
authhelp wantedvulnerabilities

Métricas do repositório

Stars
 (38 stars)
Métricas de merge de PR
 (Métricas PR pendentes)

Description

TODO:

  • test API after changing
  • #2386
    • refactor BackendService and receive save's entity\class instead of spring's one to allow to provide ID
    • refactor api-gateway and authentication-service to pass user's ID from api-gateway instead of second fetch to database in authentication-service's logic
    • removed using Authentication: Basic ***:*** in authentication-service -- we can create save's token with required info without checking ReactiveUserDetailsService. We can try to use org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken. It can be easy to migrate to X.509 authentication in future
  • Update swagger\open-api annotations:
    • remove com.saveourtool.save.configs.RequiresAuthorizationSourceHeader or maybe leave because it's useful for local testing
    • update com.saveourtool.save.configs.ApiSwaggerSupport, we support oauth2 and basic auth
  • cover by tests
  • #2407
  • #2631
  • #2629
  • #2633
  • #2540

Separator for user and auth provider should be revised

For now we are using @ for separate the user name and auth provider at least in WebSecurityConfig and in UserUtils.kt

But this symbol is not the variable and just the hardcoded symbol, so its hard to maintain this functionality

First of all, it should be extracted into the variable in save-cloud-common

And after this, we probably will need to change @ to something else, since @ is too dangerous to be a spec symbol

This work should be done under separate issue and very carefully, since it influence on core functionality - API application, auth. integration tests, db

Guia do colaborador