Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Api key guard #205

Merged
merged 6 commits into from
Feb 25, 2022
Merged

Api key guard #205

merged 6 commits into from
Feb 25, 2022

Conversation

NotGyro
Copy link
Contributor

@NotGyro NotGyro commented Nov 15, 2021

Motivation

Increase security on the full-service wallet's jsonrpc loop.

In this PR

  • Full-service now examines an MC_API_KEY environment variable. If the environment variable is left blank, no checks will be performed. However, if the environment variable is set, an equality check will be performed, looking for an X-API-KEY header in the incoming http request. If these are not equal, an error will be returned. If this header does equal the environment variable, the jsonrpc command will be performed.

  • The API key sourced from an env var and then added to the Rocket client's state. This allows us to source the API key from places other than the env var without changing the code for the request guard, which is particularly useful in testing. Testing with env vars in Rust is a bit fraught. Env vars are shared across all tests and tests run simultaneously, so you can't scope an env var config to a particular test.

  • Also did a bit of test util refactoring to help test this functionality

Implements functionality described in Asana ticket "full-service API key"

In addition to unit tests, I ran the following smoke tests:

  • expect request to succeed when I don't set env var and also don't set key header
  • expect request to fail when I don't set env var but do set key header
  • expect request to succeed when i set env var and set matching key header
  • expect request to fail when I set env var and set mismatched key header

@NotGyro NotGyro changed the base branch from main to develop November 15, 2021 19:19
@NotGyro NotGyro requested a review from itdaniher November 15, 2021 20:25
@christian-oudard christian-oudard marked this pull request as draft November 16, 2021 21:49
@Shramp Shramp changed the title [DRAFT/WIP] Api key header Api key guard Feb 23, 2022
@Shramp Shramp marked this pull request as ready for review February 23, 2022 01:13
@Shramp Shramp requested a review from david1alvarez February 23, 2022 01:13
@Shramp Shramp merged commit 7a672cc into develop Feb 25, 2022
@Shramp Shramp deleted the api-key-header branch February 25, 2022 19:04
briancorbin added a commit that referenced this pull request Mar 4, 2022
* adding max limit to some API endpoints (#248)

* Remove unnecessary foreign keys from gift_codes table. (#249)

* Update readme installation instructions (#250)

* Enable foreign key constraints. Fix transient FK errors when deleting an account. (#251)

* Remove foreign key check before running migrations. This allows databases with existing foreign key errors to be fixed by the migrations. (#252)

* Fix a bug causing sync to create many tiny chunks. (#253)

* Remove target block arg from manually sync account fn (#255)

* Initial action to build containers for tag pushes (#256)

* Supporting FOG enabled accounts (#254)

* FOG Creds default to empty string if not provided from API (#257)

* update readme (#259)

* Api key guard (#205)

* fixing issue with ledger not syncing automatically (#261)

* sync up to the last block instead of excluding it (#262)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants