Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2025-01-06 00:07:44 +01:00
Code Issues Projects Releases Wiki Activity
2cd80d31f8
unleash.unleash/src/lib/middleware/api-token-middleware.ts

113 lines
3.9 KiB
TypeScript
Raw Normal View History

Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>
2021-09-15 20:28:10 +02:00
import { ApiTokenType } from '../types/models/api-token';
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
2021-04-22 10:07:10 +02:00
import { IUnleashConfig } from '../types/option';
chore: expose types so we can use them properly (#5251) Expose types to be used in enterprise and cloud addons
2023-11-03 12:00:24 +01:00
import { IApiRequest, IAuthRequest } from '../routes/unleash-types';
fix(import): making all imports relative and removing baseUrl (#5847) Co-authored-by: Simon Hornby <liquidwicked64@gmail.com>
2024-01-17 14:33:03 +01:00
import { IUnleashServices } from '../server-impl';
feat: allow api token middleware to fetch from db (#6344) ## About the changes When edge is configured to automatically generate tokens, it requires the token to be present in all unleash instances. It's behind a flag which enables us to turn it on on a case by case scenario. The risk of this implementation is that we'd be adding load to the database in the middleware that evaluates tokens (which are present in mostly all our API calls. We only query when the token is missing but because the /client and /frontend endpoints which will be the affected ones are high throughput, we want to be extra careful to avoid DDoSing ourselves ## Alternatives: One alternative would be that we merge the two endpoints into one. Currently, Edge does the following: If the token is not valid, it tries to create a token using a service account token and /api/admin/create-token endpoint. Then it uses the token generated (which is returned from the prior endpoint) to query /api/frontend. What if we could call /api/frontend with the same service account we use to create the token? It may sound risky but if the same application holding the service account token with permission to create a token, can call /api/frontend via the generated token, shouldn't it be able to call the endpoint directly? The purpose of the token is authentication and authorization. With the two tokens we are authenticating the same app with 2 different authorization scopes, but because it's the same app we are authenticating, can't we just use one token and assume that the app has both scopes? If the service account already has permissions to create a token and then use that token for further actions, allowing it to directly call /api/frontend does not necessarily introduce new security risks. The only risk is allowing the app to generate new tokens. Which leads to the third alternative: should we just remove this option from edge?
2024-02-27 16:08:44 +01:00
import { IFlagContext } from '../types';
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>
2021-09-15 20:28:10 +02:00
const isClientApi = ({ path }) => {
fix: reject unauthorized client requests (#3881) If apiTokens are enabled breaks middleware chain with a 401 if no token is found for requests to client and frontend apis. Previously the middleware allowed the chain to process. Removes the regex search for multiple slashes, and instead configures the apiTokenMiddleware to reject unauthorized requests.
2023-05-27 16:29:54 +02:00
return path && path.indexOf('/api/client') > -1;
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>
2021-09-15 20:28:10 +02:00
};
Added a check that allows posting edge bulk metrics with a client token (#5735) This allows bulk metrics posted with a Client token to be accepted. Previously you needed an admin token to have bulk metrics accepted
2024-01-02 09:51:01 +01:00
const isEdgeMetricsApi = ({ path }) => {
return path && path.indexOf('/edge/metrics') > -1;
};
feat: embed proxy endpoints (#1926) * refactor: remove unused API definition routes * feat: add support for proxy keys * feat: support listening for any event * feat: embed proxy endpoints * refactor: add an experimental flag for the embedded proxy
2022-08-16 15:33:33 +02:00
const isProxyApi = ({ path }) => {
fix: proxy api check (#1965) * fix: proxy api check * fix: add await * fix: revert async setup for prehook * fix: stricter endpoint checks
2022-08-26 11:44:12 +02:00
if (!path) {
return;
}
// Handle all our current proxy paths which will redirect to the new
// embedded proxy endpoint
return (
fix: reject unauthorized client requests (#3881) If apiTokens are enabled breaks middleware chain with a 401 if no token is found for requests to client and frontend apis. Previously the middleware allowed the chain to process. Removes the regex search for multiple slashes, and instead configures the apiTokenMiddleware to reject unauthorized requests.
2023-05-27 16:29:54 +02:00
path.indexOf('/api/proxy') > -1 ||
path.indexOf('/api/development/proxy') > -1 ||
path.indexOf('/api/production/proxy') > -1 ||
path.indexOf('/api/frontend') > -1
fix: proxy api check (#1965) * fix: proxy api check * fix: add await * fix: revert async setup for prehook * fix: stricter endpoint checks
2022-08-26 11:44:12 +02:00
);
feat: embed proxy endpoints (#1926) * refactor: remove unused API definition routes * feat: add support for proxy keys * feat: support listening for any event * feat: embed proxy endpoints * refactor: add an experimental flag for the embedded proxy
2022-08-16 15:33:33 +02:00
};
feat: allow api token middleware to fetch from db (#6344) ## About the changes When edge is configured to automatically generate tokens, it requires the token to be present in all unleash instances. It's behind a flag which enables us to turn it on on a case by case scenario. The risk of this implementation is that we'd be adding load to the database in the middleware that evaluates tokens (which are present in mostly all our API calls. We only query when the token is missing but because the /client and /frontend endpoints which will be the affected ones are high throughput, we want to be extra careful to avoid DDoSing ourselves ## Alternatives: One alternative would be that we merge the two endpoints into one. Currently, Edge does the following: If the token is not valid, it tries to create a token using a service account token and /api/admin/create-token endpoint. Then it uses the token generated (which is returned from the prior endpoint) to query /api/frontend. What if we could call /api/frontend with the same service account we use to create the token? It may sound risky but if the same application holding the service account token with permission to create a token, can call /api/frontend via the generated token, shouldn't it be able to call the endpoint directly? The purpose of the token is authentication and authorization. With the two tokens we are authenticating the same app with 2 different authorization scopes, but because it's the same app we are authenticating, can't we just use one token and assume that the app has both scopes? If the service account already has permissions to create a token and then use that token for further actions, allowing it to directly call /api/frontend does not necessarily introduce new security risks. The only risk is allowing the app to generate new tokens. Which leads to the third alternative: should we just remove this option from edge?
2024-02-27 16:08:44 +01:00
const contextFrom = (
req: IAuthRequest<any, any, any, any> | IApiRequest<any, any, any, any>,
): IFlagContext | undefined => {
// this is what we'd get from edge:
// req_path: '/api/client/features',
// req_user_agent: 'unleash-edge-16.0.4'
return {
reqPath: req.path,
reqUserAgent: req.get ? req.get('User-Agent') ?? '' : '',
reqAppName:
req.headers?.['unleash-appname'] ?? req.query?.appName ?? '',
};
};
refactor: improve token type error message (#1709)
2022-06-17 09:00:13 +02:00
export const TOKEN_TYPE_ERROR_MESSAGE =
feat: embed proxy endpoints (#1926) * refactor: remove unused API definition routes * feat: add support for proxy keys * feat: support listening for any event * feat: embed proxy endpoints * refactor: add an experimental flag for the embedded proxy
2022-08-16 15:33:33 +02:00
'invalid token: expected a different token type for this endpoint';
refactor: improve token type error message (#1709)
2022-06-17 09:00:13 +02:00
fix: reject unauthorized client requests (#3881) If apiTokens are enabled breaks middleware chain with a 401 if no token is found for requests to client and frontend apis. Previously the middleware allowed the chain to process. Removes the regex search for multiple slashes, and instead configures the apiTokenMiddleware to reject unauthorized requests.
2023-05-27 16:29:54 +02:00
export const NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED =
'This endpoint requires an API token. Please add an authorization header to your request with a valid token';
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
const apiAccessMiddleware = (
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
2021-04-22 10:07:10 +02:00
{
getLogger,
authentication,
Feat/unleash flags embedded proxy (#1974) * feat: use unleash flags for embedded proxy * feat: add a separate flag for the proxy frontend * fix: setup unleash in dev * fix: check flagResolver on each request * fix: remove unleash client setup * refactor: update frontend routes snapshot * refactor: make batchMetrics flag dynamic * fix: always check dynamic CORS origins config * fix: make conditionalMiddleware work with the OpenAPI schema generation Co-authored-by: olav <mail@olav.io>
2022-08-26 15:16:29 +02:00
flagResolver,
}: Pick<IUnleashConfig, 'getLogger' | 'authentication' | 'flagResolver'>,
chore: expose types so we can use them properly (#5251) Expose types to be used in enterprise and cloud addons
2023-11-03 12:00:24 +01:00
{ apiTokenService }: Pick<IUnleashServices, 'apiTokenService'>,
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
): any => {
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
2021-04-22 10:07:10 +02:00
const logger = getLogger('/middleware/api-token.ts');
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>
2021-09-15 20:28:10 +02:00
logger.debug('Enabling api-token middleware');
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
Feat/options need types (#794) feat: options are now typed - This makes it easier to know what to send to unleash.start / unleash.create - Using a Partial to instantiate the config, then melding it with defaults to get a config object with all fields set either to their defaults or to whatever is passed in. Co-authored-by: Fredrik Strand Oseberg <fredrik.no@gmail.com> Co-authored-by: Ivar Conradi Østhus <ivarconr@gmail.com>
2021-04-22 10:07:10 +02:00
if (!authentication.enableApiToken) {
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
return (req, res, next) => next();
}
feat: allow api token middleware to fetch from db (#6344) ## About the changes When edge is configured to automatically generate tokens, it requires the token to be present in all unleash instances. It's behind a flag which enables us to turn it on on a case by case scenario. The risk of this implementation is that we'd be adding load to the database in the middleware that evaluates tokens (which are present in mostly all our API calls. We only query when the token is missing but because the /client and /frontend endpoints which will be the affected ones are high throughput, we want to be extra careful to avoid DDoSing ourselves ## Alternatives: One alternative would be that we merge the two endpoints into one. Currently, Edge does the following: If the token is not valid, it tries to create a token using a service account token and /api/admin/create-token endpoint. Then it uses the token generated (which is returned from the prior endpoint) to query /api/frontend. What if we could call /api/frontend with the same service account we use to create the token? It may sound risky but if the same application holding the service account token with permission to create a token, can call /api/frontend via the generated token, shouldn't it be able to call the endpoint directly? The purpose of the token is authentication and authorization. With the two tokens we are authenticating the same app with 2 different authorization scopes, but because it's the same app we are authenticating, can't we just use one token and assume that the app has both scopes? If the service account already has permissions to create a token and then use that token for further actions, allowing it to directly call /api/frontend does not necessarily introduce new security risks. The only risk is allowing the app to generate new tokens. Which leads to the third alternative: should we just remove this option from edge?
2024-02-27 16:08:44 +01:00
return async (req: IAuthRequest | IApiRequest, res, next) => {
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>
2021-09-15 20:28:10 +02:00
if (req.user) {
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
return next();
}
try {
fix: User should require a ID field set (#799)
2021-04-22 23:40:52 +02:00
const apiToken = req.header('authorization');
Personal access token middleware (#2069) * Middleware first version * Middleware tests * Add tests * Finish middleware tests * Add type for request * Add flagresolver * Fix snapshot * Update flags and tests * Put it back as default * Update snapshot
2022-09-28 15:53:56 +02:00
if (!apiToken?.startsWith('user:')) {
chore: expose types so we can use them properly (#5251) Expose types to be used in enterprise and cloud addons
2023-11-03 12:00:24 +01:00
const apiUser = apiToken
feat: allow api token middleware to fetch from db (#6344) ## About the changes When edge is configured to automatically generate tokens, it requires the token to be present in all unleash instances. It's behind a flag which enables us to turn it on on a case by case scenario. The risk of this implementation is that we'd be adding load to the database in the middleware that evaluates tokens (which are present in mostly all our API calls. We only query when the token is missing but because the /client and /frontend endpoints which will be the affected ones are high throughput, we want to be extra careful to avoid DDoSing ourselves ## Alternatives: One alternative would be that we merge the two endpoints into one. Currently, Edge does the following: If the token is not valid, it tries to create a token using a service account token and /api/admin/create-token endpoint. Then it uses the token generated (which is returned from the prior endpoint) to query /api/frontend. What if we could call /api/frontend with the same service account we use to create the token? It may sound risky but if the same application holding the service account token with permission to create a token, can call /api/frontend via the generated token, shouldn't it be able to call the endpoint directly? The purpose of the token is authentication and authorization. With the two tokens we are authenticating the same app with 2 different authorization scopes, but because it's the same app we are authenticating, can't we just use one token and assume that the app has both scopes? If the service account already has permissions to create a token and then use that token for further actions, allowing it to directly call /api/frontend does not necessarily introduce new security risks. The only risk is allowing the app to generate new tokens. Which leads to the third alternative: should we just remove this option from edge?
2024-02-27 16:08:44 +01:00
? await apiTokenService.getUserForToken(
apiToken,
contextFrom(req),
)
chore: expose types so we can use them properly (#5251) Expose types to be used in enterprise and cloud addons
2023-11-03 12:00:24 +01:00
: undefined;
Personal access token middleware (#2069) * Middleware first version * Middleware tests * Add tests * Finish middleware tests * Add type for request * Add flagresolver * Fix snapshot * Update flags and tests * Put it back as default * Update snapshot
2022-09-28 15:53:56 +02:00
const { CLIENT, FRONTEND } = ApiTokenType;
refactor: improve token type error message (#1709)
2022-06-17 09:00:13 +02:00
Personal access token middleware (#2069) * Middleware first version * Middleware tests * Add tests * Finish middleware tests * Add type for request * Add flagresolver * Fix snapshot * Update flags and tests * Put it back as default * Update snapshot
2022-09-28 15:53:56 +02:00
if (apiUser) {
if (
Added a check that allows posting edge bulk metrics with a client token (#5735) This allows bulk metrics posted with a Client token to be accepted. Previously you needed an admin token to have bulk metrics accepted
2024-01-02 09:51:01 +01:00
(apiUser.type === CLIENT &&
!isClientApi(req) &&
!isEdgeMetricsApi(req)) ||
Personal access token middleware (#2069) * Middleware first version * Middleware tests * Add tests * Finish middleware tests * Add type for request * Add flagresolver * Fix snapshot * Update flags and tests * Put it back as default * Update snapshot
2022-09-28 15:53:56 +02:00
(apiUser.type === FRONTEND && !isProxyApi(req)) ||
(apiUser.type === FRONTEND &&
!flagResolver.isEnabled('embedProxy'))
) {
res.status(403).send({
message: TOKEN_TYPE_ERROR_MESSAGE,
});
return;
}
req.user = apiUser;
fix: reject unauthorized client requests (#3881) If apiTokens are enabled breaks middleware chain with a 401 if no token is found for requests to client and frontend apis. Previously the middleware allowed the chain to process. Removes the regex search for multiple slashes, and instead configures the apiTokenMiddleware to reject unauthorized requests.
2023-05-27 16:29:54 +02:00
} else if (isClientApi(req) || isProxyApi(req)) {
// If we're here, we know that api token middleware was enabled, otherwise we'd returned a no-op middleware
// We explicitly only protect client and proxy apis, since admin apis are protected by our permission checker
// Reject with 401
res.status(401).send({
message: NO_TOKEN_WHERE_TOKEN_WAS_REQUIRED,
});
return;
Feat/api key scoping (#941) Co-authored-by: Christopher Kolstad <chriswk@getunleash.ai>
2021-09-15 20:28:10 +02:00
}
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
}
} catch (error) {
fix: reduce severity of api token middleware errors (#4216) This isn't something our on-calls can do something about when it fails, so downgrading to WARN seems like the right level.
2023-07-11 12:33:02 +02:00
logger.warn(error);
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
}
refactor: improve token type error message (#1709)
2022-06-17 09:00:13 +02:00
next();
Feat: Api-Tokens (#774) fixes: #774
2021-03-29 19:58:11 +02:00
};
};
export default apiAccessMiddleware;
Reference in New Issue Copy Permalink