-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix the endpoint for short-lived tokens #1907
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
coolreader18
approved these changes
Oct 25, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems reasonable to me.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Changes
NB: This was branched off #1892, so you can ignore the earlier commits.
The main change here is to fix the
identity/websocket_token
token route that clients can use to get a short-lived token. That endpoint will now validate the token normally, and return a token with the same clients, signed with the local key. This means the short lived token is not necessarily signed withissuer
s key. This is ok, because when we validate tokens, we first check if the token was signed with our key before we even look at the issuer.This also has a few innocuous changes to work with this private PR https://github.com/clockworklabs/SpacetimeDBPrivate/pull/1081.
Expected complexity level and risk
Testing
The tests in
token_validation
verify how/when we are supposed to look at the issuer when validating keys.