Sy 877 server api middleware

[LeonLiur]

Feature Pull Request Template

Key Information

• Linear Issue: SY-878

Description

API middleware & client libraries supporting user registration and policy management.

Please review and consider these three questions I had while in development:

• In our typescript client, the auth field can be undefined if the user did not provide username & password upon starting the client. Should this still be the case? Shouldn't we allow auth to always be an available service so the user can register even if they did not log in?
• Should register be a public route? This is fine because even if a user registers itself, it does not have the privilege to do anything else. However this might leave vulnerabilities like DDoS? (which we can address in other ways than making it a private endpoint).
• Minor security issue: If a user has channel CREATE privileges but not RETRIEVE, they can still RETRIEVE channels they created because of the client's channel cache. Is this worth addressing?

Basic Readiness Checklist

• I have performed a self-review of my code.
• I have added relevant tests to cover the changes.
• I have updated user facing documentation accordingly.

Migrations

• Console - I have ensured that previous versions of stored data structures are
  properly migrated to new formats.
• Server - I have ensured that previous versions of stored data structures are
  properly migrated to new formats.

Manual QA Additions

• I have updated the Release Candidate template
  with necessary manual QA steps to test my change.

Breaking Changes

/api/v1/auth/protected/change-password -> /api/v1/user/protected/change-password
/api/v1/auth/protected/change-username -> /api/v1/user/protected/change-username
/api/v1/auth/register -> /api/v1/user/register

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 26, 2024 6:13pm

[codecov]

Codecov Report

Attention: Patch coverage is 35.24138% with 939 lines in your changes missing coverage. Please review.

Project coverage is 50.98%. Comparing base (0ae52e0) to head (f106c83).

Files	Patch %	Lines
synnax/pkg/api/framer.go	0.00%	150 Missing ⚠️
synnax/pkg/api/ranger.go	0.00%	105 Missing ⚠️
synnax/pkg/api/hardware.go	0.00%	76 Missing ⚠️
synnax/pkg/api/user.go	0.00%	70 Missing ⚠️
synnax/pkg/api/access.go	0.00%	61 Missing ⚠️
synnax/pkg/api/ontology.go	0.00%	61 Missing ⚠️
synnax/pkg/api/channel.go	0.00%	55 Missing ⚠️
synnax/pkg/api/schematic.go	0.00%	49 Missing ⚠️
synnax/pkg/api/line_plot.go	0.00%	39 Missing ⚠️
synnax/pkg/api/label.go	0.00%	38 Missing ⚠️
... and 37 more

Additional details and impacted files

@@            Coverage Diff             @@
##               rc     #731      +/-   ##
==========================================
- Coverage   51.31%   50.98%   -0.34%     
==========================================
  Files        1055     1066      +11     
  Lines       81142    82146    +1004     
  Branches     3288     3297       +9     
==========================================
+ Hits        41638    41880     +242     
- Misses      38484    39258     +774     
+ Partials     1020     1008      -12     

Flag	Coverage Δ
aspen	50.18% <ø> (ø)
cesium	76.18% <ø> (ø)
clientpy	81.97% <100.00%> (ø)
clientts	87.56% <96.83%> (+0.49%)	⬆️
freighterpy	77.81% <100.00%> (ø)
pluto	44.74% <0.00%> (+<0.01%)	⬆️
synnax	27.10% <8.15%> (-1.75%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[emilbon99]

See my comments. Also, please do a review of all endpoints to make sure we're not accidentally leaking information by using named return values after checking access.

[emilbon99]

Useless allocation. Just use nil.

[LeonLiur]

If this is nil then upon encoding as json it won't get encoded into an empty list

[emilbon99]

Note that Pluto tests do not pass because the client does not compile due to type errors

[LeonLiur]

Note that Pluto tests do not pass because the client does not compile due to type errors

addressed

[emilbon99]

Address my comments. Also freighter test is failing - flaky or did the formatting tests mess something up?

[LeonLiur]

Address my comments. Also freighter test is failing - flaky or did the formatting tests mess something up?

Seemed flakey, passing now

[Lham42]

Is there functionality here we should also test in QA?

[LeonLiur]

Is there functionality here we should also test in QA?

Yes, we should probably test the ability to register new users

[emilbon99]

@LeonLiur @Lham42 We'll probably add QA changes with @pjdotson goes through and implements the console stuff. The changes in this PR can all be easily unit tested.

[Lham42]

LGTM