Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SOFIE-95 - Sofie Core Groups with Trusted header #11

Draft
wants to merge 34 commits into
base: bbc-release52
Choose a base branch
from
Draft

SOFIE-95 - Sofie Core Groups with Trusted header #11

wants to merge 34 commits into from

Conversation

Julusian
Copy link
Collaborator

This is a hacky proof-of-concept on header based authentication flow.

For now using the dnt header, as that gets passed through to meteor.

When a ddp connection is opened, it checks the header, and if its not a valid value, it closes the connection. This may not be wanted, as it means this can't be bypassed within nginx, and breaks development.

Then a new meteor method is added, which allows for asking the backend what 'user level' to show in the ui. This is crudely slotted into existing logic, it needs to be redone properly. It also should consider re-checking the value whenever the ddp connection reopens, to allow for invalidating permissions.

The enum may want to be changed, to match the granular system used in the frontend.

But this works, I can run through nginx with proxy_set_header dnt "admin"; and the settings button appears, or change that to proxy_set_header dnt "studio"; and it disappears (and for some reason sofie won't let me run a studio in this mode..)

We should consider that nrkno#1241 is coming in release52, which removes the existing meteor user based auth. So when finishing this, it might be beneficial to pull in parts of that to avoid making this cooperate with code that is about to disappear.

@Julusian
Copy link
Collaborator Author

Reactivity isn't perfect within the ui, but this now behaves fairly sensibly.
The various scattered checks for permissions have been centralised to a react context. This context is updated on a 30s poll to meteor, which reports the permissions. This is a horrible hack and should be replaced with something more intelligent.
But this means that if I change the header set in nginx, and restart it (to force connections to be dropped), then after reconnecting, and the poll re-runs, the ui updates to reflect the new permissions (mostly, some bits need to be forced to remount)

This portion (minus the polling) could be contributed upstream on its own, as it is fairly standalone and would be useful for anyone else wanting to redo permissions within the ui

@Julusian Julusian changed the base branch from bbc-release51-3 to release51 September 20, 2024 14:48
@Julusian
Copy link
Collaborator Author

Julusian commented Sep 20, 2024
edited
Loading

This is very much battling how meteor wants auth to work, but I have a hack which sets the userId of a ddp connection when it is opened based off the headers.
And an working poc of using the userId to them check if a user is allowed to edit the studio.

@Julusian Julusian mentioned this pull request Oct 15, 2024
Open
5 tasks
@Julusian Julusian changed the base branch from release51 to bbc-release52 October 15, 2024 11:31
Julusian and others added 22 commits November 5, 2024 13:48
@Julusian
wip: poc user levels
fb4956a
@Julusian
wip: rework header and block takes if no studio permission
2951d1c
@Julusian
wip: hack out some 'old' code, and start on context for roles distrib…
f7391b6 
…ution
@Julusian
wip
99b910f
@Julusian
wip: remove remaining user permissions checks
346e6fb
@Julusian
hack: force the userId during connection open
ea55bd3
@Julusian
wip: example implementation of using header auth in collection allow/…
e7bd108 
…deny
@Julusian
Update Connections.ts
d79c106
@Julusian
Update Connections.ts
87f759e
@Julusian
wip: fix type errors
b8db318
@Julusian
fix: don't kill connections for readonly users
e755b0b
@Julusian
wip: systemStatus api
0253fc7
@Julusian
wip: allow proxy ddp via vite
936f1da
@Julusian
wip: some permissions
0972761
@Julusian
wip: more ddp
529b35b
@Julusian
wip: more ddp
406b891
@Julusian
wip: remove Users collection
bd3bbd6 
TODO: migration
@Julusian
wip: more ddp
8e9657a
@Julusian
wip: more ddp
fcd6993
@Julusian
wip: more ddp
2a768e8
@Julusian
wip: publications
289683d
@Julusian
wip: publications
2e80eb2
@Julusian Julusian changed the title SOFIE-95 - Sofie Core Groups with Trusted header POC SOFIE-95 - Sofie Core Groups with Trusted header Nov 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Julusian