Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implemented jwt token authentication for login #1574

Merged
merged 24 commits into from
Jul 3, 2024
Merged

Implemented jwt token authentication for login #1574

merged 24 commits into from
Jul 3, 2024

Conversation

Sujanadh
Copy link
Contributor

What type of PR is this? (check all applicable)

  • πŸ• Feature
  • πŸ› Bug Fix
  • πŸ“ Documentation
  • πŸ§‘β€πŸ’» Refactor
  • βœ… Test
  • πŸ€– Build or CI
  • ❓ Other (please specify)

Related Issue

Describe this PR

This PR adds new configuration to generate jwt authentication token for temporary login as well as to encapsulate the osm login for consistency. For token generation, the "RS256" algorithm is used, whereas rsa keys are generated for encoding and decoding the token.

Screenshots

N/A

Alternative Approaches Considered

Did you attempt any other approaches that are not documented in code?

Review Guide

Notes for the reviewer. How to test this change?

Checklist before requesting a review

[optional] What gif best describes this PR or how it makes you feel?

@Sujanadh Sujanadh requested a review from spwoodcock June 13, 2024 12:47
@Sujanadh Sujanadh self-assigned this Jun 13, 2024
@github-actions github-actions bot added the backend Related to backend code label Jun 13, 2024
@Sujanadh Sujanadh marked this pull request as draft June 13, 2024 12:48
spwoodcock
spwoodcock reviewed Jun 13, 2024
View reviewed changes
Copy link
Member

@spwoodcock spwoodcock left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice code!

I think the only thing missing is modifying the introspect endpoint to deserialise the access token and check that it has not expired.

Also the tests are failing and may need to be looked at 😁

src/backend/app/auth/auth_routes.py Outdated Show resolved Hide resolved
src/backend/app/auth/auth_routes.py Outdated Show resolved Hide resolved
src/backend/app/config.py Outdated Show resolved Hide resolved
@Sujanadh
Copy link
Contributor Author

Very nice code!

I think the only thing missing is modifying the introspect endpoint to deserialise the access token and check that it has not expired.

Also the tests are failing and may need to be looked at 😁

introspect depends on login_required and expiry check is done in login_required.

@Sujanadh
Copy link
Contributor Author

Since a temporary user is not a real user and is not present in a database, we need to create it in the database, so for that, we need to explicitly specify the fields like id and other fields like profile_img as None.

@Sujanadh
Copy link
Contributor Author

I think test was failing because env file is not updated with variables like AUTH_PRIVATE_KEY .

@spwoodcock
Copy link
Member

Thanks for the feedback - was reviewing on my phone again and missed the login_required link 😁

We already have user svcfmtm in the db - could we use that for the temp user possibly?

I'll update the env vars for the tests πŸ‘

@Sujanadh
Copy link
Contributor Author

Sujanadh commented Jun 14, 2024
edited
Loading

Thanks for the feedback - was reviewing on my phone again and missed the login_required link 😁

We already have user svcfmtm in the db - could we use that for the temp user possibly?

I'll update the env vars for the tests πŸ‘

should we use username "svcfmtm" also or just the id ?

@Sujanadh Sujanadh marked this pull request as ready for review June 14, 2024 11:44
@spwoodcock
Copy link
Member

spwoodcock commented Jun 14, 2024
edited
Loading

Thanks for the feedback - was reviewing on my phone again and missed the login_required link 😁
We already have user svcfmtm in the db - could we use that for the temp user possibly?
I'll update the env vars for the tests πŸ‘

should we use username "svcfmtm" also or just the id ?

Probably good to just hardcode svcfmtm as the user πŸ‘
It is a valid OSM username too.
We can then pick up that username/id during data conflation and instead insert the username of the project manager for OSM submissions.

@spwoodcock
Copy link
Member

spwoodcock commented Jun 14, 2024
edited
Loading

This is pretty much good to go, but I will wait to merge until we finalise the 2024.3.1 release.

@spwoodcock spwoodcock self-assigned this Jun 14, 2024
@spwoodcock
Copy link
Member

In addition to the above @Sujanadh and I just discussed the possibility of using JWT refresh tokens to keep the token alive.

If the user is inactive for many days it will expire, but if accessed regularly the token will refresh.

Seems like a good idea to me πŸ‘

@github-actions github-actions bot added docs Improvements or additions to documentation devops Related to deployment or configuration labels Jul 1, 2024
@spwoodcock
Copy link
Member

spwoodcock commented Jul 2, 2024
edited
Loading

Did a bit of additional refactoring and finished off the roles!

Still need to:

  • Set additional env vars in Github environments
  • Fix test_create_project that is showing 400 project with name already exists??

@spwoodcock spwoodcock merged commit 4eb01c7 into development Jul 3, 2024
7 of 9 checks passed
@spwoodcock spwoodcock deleted the feat/jwt-auth branch July 3, 2024 13:07
spwoodcock added a commit that referenced this pull request Jul 3, 2024
@Sujanadh @spwoodcock
feat: implement global jwt token authentication for login (#1574)
e97a04f 
* feat: implemented jwt token authentication for login

* fix: added audience while decoding

* feat: added pyjwt , updated user id to existing svcfmtm osmid

* feat: change username to svcfmtm

* feat: implemented refresh token and updated dependency lock file

* fix: return user data from refresh endpoint

* changed img_url -> picture, retrieve id from sub field

* feat: exception handling if osm deserialization fails

* build: relock deps after pyjwt added

* refactor: remove auth key path variables, require passing string values

* docs: update install docs with info for gen priv/pub keys

* docs: update all docs for AUTH_PUBLIC_KEY vars

* build: add AUTH_PUBLIC_KEY vars to gen-env.sh script

* refactor: exclude rsa keys from debug printed settings

* fix(backend): improve logic for /me endpoint upsert & return ProjectRoles OrgManagers

* fix(backend): return int type for AuthUser.id

* refactor: create auth_schemas and replace all imports

* refactor: pass user_id only to task_crud functions

* test: update auth user creation for fixtures

* test: guarantee randomness with uuid4 over randint

* fix(backend): create_project existing project check must be scalar

* fix(backend): conform to nominatim usage policy referer header

* test: rename var for clarity

---------

Co-authored-by: spwoodcock <sam.woodcock@protonmail.com>
@spwoodcock spwoodcock mentioned this pull request Jul 3, 2024
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spwoodcock spwoodcock spwoodcock requested changes

Assignees

@spwoodcock spwoodcock

@Sujanadh Sujanadh

Labels
backend Related to backend code devops Related to deployment or configuration docs Improvements or additions to documentation frontend Related to frontend code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Sujanadh @spwoodcock