Feature: provide getting auth token and user profile api for client-server used.

[kokokuo]

Description

Provide an getting token info POST API /auth/token and get user profile GET API /auth/user-profile for client-server to authenticate and get user information. Otherwise, we also support providing auth credentials data ( e.g: token ) from query string or payload. So it not only has one way to provide by Authorization in the header.

We will talk about it in two sections.

How to use /auth/token and /auth/user-profile API

The /auth/token POST API is used to get tokens by passing user identity information, e.g: username or password. After you get the token, you could continue to get the current user's basic information by GET /auth/user-profile with the above got token.

Also if you would like to query the data endpoint API, you also need the token.

Set auth options to make API work first.

The type value should provide satisfy the key name under auth options, e.g: basic, simple-token, password-file.. and so on.

Sample 1

auth:
 options:
  basic:
   htpasswd-file: 
     ....

Then you could access auth and get a token with API /auth/token endpoint.

{
  "type": "basic"
  // below is the auth type needed for other payload data, e.g: username, password
}

Sample 2

If you also added password-file auth type options in settings:

auth:
 options:
  basic:
   htpasswd-file: 
    path: './yyyy'
  simple-token:
   - name: user1
     token: '....'

Then the auth API /auth/token with type could use simple-token and basic.

Error message

If you do not provide type query string, it will show 400 status code with the message, like below:

{
  "message": "auth type 'xxx',in options not supported, authenticator only supported"
}

Other payloads like username, password

Current built-in authenticators: simple-token, password-file and basic both need to be given username and password fields in the payload.

{
 "type": "basic"
 "username": "user1",
 "passowrd": "test1"
}

If the client missed some field e.g: username or password it will throw an error message with status 400:

{
  "message": "error message....."
}

After you get the token e.g: dXNlcjE6dGVzdDE=, then you could get the user profile following the above /auth/user-profile GET API we talked.

Just call the GET API /auth/user-profile and set the Authorization with token value e.g: dXNlcjE6dGVzdDE= in request header.

Customize your Authenticator

If the above built-in basic, password-files, simple-token authenticator could not satisfy, we could define the authenticator, you should inherit BaseAuthenticator and implement the getTokenInfo and authCredential method.

Support providing token or other related auth credentials data from query string or payload

We also define another middleware called authSourceNormalizerMiddleware to support clients who could pass the auth credentials data query string or payload.

Set the auth-source options

Default, the client could through auth key and base64 with JSON stringify flow to encode your Authroizartion key with value. like below:

/auth/user-profile?auth=Base64(JSON.stringfiy({'Authorization': `Basic dXNlcjE6dGVzdDE=`})) 

Then we will find the auth in the query string and check if the format is Base64 or not, if yes, we will try to decode it and move it to the header, but, currently, we only accept the Authorization key name in the object. ( We will provide a whitelist feature to make user could define the acceptable key name in the object )

If you would like to change the key name like x-auth to replace the auth key, or you would like to set x-auth by payload, the you could define it in auth-source options:

auth-source:
  key:'x-auth'  # default is "auth" key name
  in: 'query'    # default is "query",  and we support "payload" or "query" two types

like above, then when you send a query to the data endpoint e.g: /orders, it looks like below:

/orders?x-auth=Base64(JSON.stringfiy({'Authorization': `Basic dXNlcjE6dGVzdDE=`})) 

Commit Message

• 04eb9f4 feat(serve): provide auth identity route for client server used.
• f13dc42 fix(serve): add error handler for an auth route middleware
• 016656a fix(serve): move server.close to after each function in test cases
• 1a0930a fix(serve): move the auth credential middleware checking option logistic to onActivate method
• 044b649 fix(serve): add checking enable condition and option value in onActivate method of auth route middleware
• 7c3f9b4 fix(serve): the /auth route still need to contain Authorization header issue
• 4dfd5cc fix(serve): remove checking user credential logistic and only generate token
• 7f6d397 fix(serve): change get method of /auth/token endpoint to post method
• 14f3bb9 feat(serve): add /auth/user-profile api to get user profile.
• ac2d8d5 feat(serve): add auth source normalizer middleware to support query string source auth data
• 258157f fix(serve): import 'koa-bodyparser' in the each authenticator to make jest run correct.
• 2bce5e8 fix(serve,labs): refactor error message when not provide auth types in options, and set disable for auth in vulcan.yaml template in labs project

[codecov-commenter]

Codecov Report

Base: 92.52% // Head: 92.77% // Increases project coverage by +0.24% 🎉

Coverage data is based on head (2bce5e8) compared to base (06aca46).
Patch coverage: 94.87% of modified lines in pull request are covered.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop      #47      +/-   ##
===========================================
+ Coverage    92.52%   92.77%   +0.24%     
===========================================
  Files          224      229       +5     
  Lines         3117     3223     +106     
  Branches       370      391      +21     
===========================================
+ Hits          2884     2990     +106     
+ Misses         169      168       -1     
- Partials        64       65       +1     

Flag	Coverage Δ
build	94.87% <ø> (ø)
cli	91.42% <ø> (ø)
core	93.22% <ø> (ø)
extension-dbt	97.43% <ø> (ø)
extension-debug-tools	98.11% <ø> (ø)
extension-driver-duckdb	100.00% <ø> (ø)
integration-testing	96.15% <100.00%> (+1.15%)	⬆️
serve	90.12% <94.77%> (+1.31%)	⬆️
test-utility	∅ <ø> (∅)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...kages/serve/src/models/extensions/authenticator.ts	90.90% <ø> (ø)
...es/serve/src/lib/auth/passwordFileAuthenticator.ts	81.81% <81.81%> (+0.73%)	⬆️
...c/lib/middleware/auth/authCredentialsMiddleware.ts	85.00% <85.00%> (ø)
.../middleware/auth/authSourceNormalizerMiddleware.ts	90.00% <90.00%> (ø)
.../integration-testing/src/example1/projectConfig.ts	100.00% <100.00%> (ø)
packages/serve/src/lib/app.ts	84.84% <100.00%> (+0.97%)	⬆️
...kages/serve/src/lib/auth/httpBasicAuthenticator.ts	87.23% <100.00%> (+2.23%)	⬆️
...ges/serve/src/lib/auth/simpleTokenAuthenticator.ts	100.00% <100.00%> (ø)
...es/serve/src/lib/middleware/auth/authMiddleware.ts	100.00% <100.00%> (ø)
...ve/src/lib/middleware/auth/authRouterMiddleware.ts	100.00% <100.00%> (ø)
... and 7 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[oscar60310]

Other part LGTM.

[oscar60310]

I think this function ( and the /auth endpoint) only provide the information of authenticators, e.g. token, redirect URL ...etc. But we don't need to do auth check here, it is the job of authCredential function, we don't need to duplicate the logic here. So do other authenticators.

  public async authIdentity(ctx: KoaContext) {
    const username = ctx.request.query['username'] as string;
    const password = ctx.request.query['password'] as string;
    if (!username || !password)
      throw new Error('please provide "username" and "password".');
    // encode it anyway, let users fail at authCredential function
    const token = Buffer.from(`${username}:${password}`).toString('base64');

    return {
      token: token,
    };
  }

[kokokuo]

Thanks @oscar60310 the for suggestion, after discussion I have made it only generate the token, and provide another API /auth/user-profile to get the user data with the token which got from /auth/token

[oscar60310]

NIT: Can we check the config in onActivate function?

[kokokuo]

Thanks for @oscar60310 suggestion. it has been fixed.

[oscar60310]

Can we check the option at onActivate function too?

if (this.enable && isEmpty(xxxxx

[kokokuo]

Thanks for @oscar60310 suggestion. it has been fixed.

[oscar60310]

Can we only mount our routes only when extension is enabled?

if(this.enable) this.setAuthRoute();

[kokokuo]

Thanks for @oscar60310 suggestion, it has been fixed.

[oscar60310]

I'd prefer using POST instead of GET to send our credentials.

[oscar60310]

Ought this route to be public? For now, it's protected by authCredentialMiddleware, that is, we have to send credentials before knowing how to get one.

❌
curl --location --request GET 'http://localhost:3000/auth?type=basic&username=ivan&password=123'

✅
curl --location --request GET 'http://localhost:3000/auth?type=basic&username=ivan&password=123'
--header 'Authorization: Basic aXZhbjoxMjM='

[kokokuo]

Thanks for @oscar60310 suggestion and finding the issue. The API has changed to POST and rename it to /auth/token. Otherwise, the original calling the /auth also needs the --header 'Authorization: Basic aXZhbjoxMjM=' issue also has been fixed, thanks a lot!

[kokokuo]

I also add more test cases related to authentication in the integration-testing package and change the structure.

[oscar60310]

We should close server in afterEach hooks, or they become dangling if test cases failed.

[kokokuo]

Thanks for @oscar60310 suggestion. it has been fixed.

[kokokuo]

Hi @oscar60310, it has been fixed and provide new API for getting user profile, thanks for discussing with me and giving suggestion 😃