Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

External api to generate Auth Token for API users #849

Open
mahalakshme opened this issue Jan 9, 2025 · 4 comments
Open

External api to generate Auth Token for API users #849

mahalakshme opened this issue Jan 9, 2025 · 4 comments
Assignees
@himeshr

Comments

@mahalakshme
Copy link
Contributor

mahalakshme commented Jan 9, 2025
edited
Loading

Need:

Not all backend languages support SRP. So, some prefer user-password authentication. For this, sharing AWS access keys outside our org is not safe. So we need a login API.

AC:

  • Create an api which accepts username and password and does SRP authentication with Cognito and returns an access token
  • This login API should work only when a user is marked as API user. This can be tracked by 'Should Allow Api Login' field in settings column of users table.
  • The above flag can be added in UI under Settings
Image

Technical details:

Code in this file in integration repo can be reused. Looks like fetching refresh token is not done, and each time we fetch access token only, same can be done.

Inputs:

isApiUser - login via API
timeout - low one is good -
@mahalakshme mahalakshme converted this from a draft issue Jan 9, 2025
@mahalakshme mahalakshme moved this from In Analysis to Ready in Avni Product Jan 9, 2025
@himeshr
Copy link
Contributor

himeshr commented Jan 10, 2025

Himesh's Review comments:

  • How would we perform access control in code to restrict the actions performed by the apiUser.?
  • We make use of Privileges to restrict API access, so how would we tie up the API user flag with the Privilege.?

@mahalakshme mahalakshme moved this from Ready to In Analysis Review in Avni Product Jan 10, 2025
@mahalakshme mahalakshme moved this from In Analysis Review to Ready in Avni Product Jan 13, 2025
@himeshr himeshr self-assigned this Jan 15, 2025
@himeshr himeshr moved this from Ready to In Progress in Avni Product Jan 15, 2025
@himeshr
Copy link
Contributor

himeshr commented Jan 16, 2025

@mahalakshme is this api to be considered external api, and swagger api doc entry needed for it.? Or do we hide it to prevent abuse?

himeshr added a commit to avniproject/avni-webapp that referenced this issue Jan 16, 2025
@himeshr
avniproject/avni-server#849 | Introduce isAllowedToInvokeTokenGenerat…
4b3220c 
…ionAPI modification in user settings
himeshr added a commit that referenced this issue Jan 16, 2025
@himeshr
#849 | Implement AuthToken generation using username and password
be14204
himeshr added a commit that referenced this issue Jan 16, 2025
@himeshr
#849 | Introduce isAllowedToInvokeTokenGenerationAPI user setting
944bf96
himeshr added a commit that referenced this issue Jan 16, 2025
@himeshr
#849 | Introduce generateToken user external api
0c1b543
@himeshr himeshr moved this from In Progress to Code Review Ready in Avni Product Jan 16, 2025
@himeshr
Copy link
Contributor

himeshr commented Jan 16, 2025

Screenshots of web user setting and API invocation:

Screenshot 2025-01-16 at 1 19 03 PM Screenshot 2025-01-16 at 1 19 54 PM

@himeshr himeshr changed the title Login api for API users Generate Auth Token external api for API users Jan 16, 2025
@himeshr himeshr changed the title Generate Auth Token external api for API users External api to generate Auth Token for API users Jan 16, 2025
himeshr added a commit that referenced this issue Jan 16, 2025
@himeshr
#849 | Add null check for invalid username
0a78ce4
@himeshr
Copy link
Contributor

himeshr commented Jan 16, 2025
edited
Loading

Test cases

Webapp

  • Create / edit user to enable / disable token generation setting

Server

  • Invoke Token generate api with isAllowedToInvokeTokenGenerationAPI enabled
    • Invalid username (should fail)
    • valid username , invalid password (should fail)
    • valid username and password (pass)
  • Invoke Token generate api with isAllowedToInvokeTokenGenerationAPI disabled
    • valid username and password (should fail)
  • Generated token should be working for any get external api invocation (ex: get subjects)
  • Token generation api should work for both Keycloak / Cognito using organisations
  • UsersAndCatchments CSV should also support enable / disable of isAllowedToInvokeTokenGenerationAPI settings for Users
  • Do not support isAllowedToInvokeTokenGenerationAPI setting in UsersAndCatchments CSV upload

himeshr added a commit that referenced this issue Jan 16, 2025
@himeshr
#849 | Support IS_ALLOWED_TO_INVOKE_TOKEN_GENERATION_API in userCatch…
f9ffb0c 
…ment csv upload
himeshr added a commit that referenced this issue Jan 16, 2025
@himeshr
#849 | Fix refernce to constant used to work during user-upload
6ebf283
himeshr added a commit that referenced this issue Jan 17, 2025
@himeshr
#849 | Remove support for isAllowedToInvokeTokenGenerationAPIByUser i…
9452532 
…n csv uploads
himeshr added a commit that referenced this issue Jan 17, 2025
@himeshr
#849 | Revert changes to csv sample file
36eb3e0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@himeshr himeshr

Labels
None yet
Projects
Avni Product
Status: Code Review Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mahalakshme @himeshr