multiple auth tokens - is that feasible?

[tessus]

Sorry for posting an issue, but the discussions are not available for this repo. This is not a bug, but rather a question.

I was thinking whether the possibility of multiple auth tokens is a good idea. My use-case was that I'd like to share access to my rustypaste instance with a few select people. But sharing access tokens is somewhat a no-no, even though it is nothing critical and I know the people I'd give the token to anyway.

What do you think? Is this something that makes sense or is this an overkill?

I thought about a few ways to implement this. e.g. an optional config option access_token_file that points to a file, in which each line holds a token. Or an access_tokens array in the config.
The question is whether to read that file into an array at start (and when the config is refreshed) or at request time. The latter is easy, but I don't like it due to perf implications, and the former might need a little bit of research on my part (due to memory locking and so on).

It's just an idea for a future feature, but as mentioned I am not sure if it is feasible. It's also not something I have to do myself. A Rustacean can probably do this in 5 minutes or 10 minutes with test cases.

You can close this issue right away. I just didn't find another way to ask this question.

[orhun]

Sorry for posting an issue, but the discussions are not available for this repo. This is not a bug, but rather a question.

Enabled discussions for the repo and converted this issue to a discussion!

I was thinking whether the possibility of multiple auth tokens is a good idea. My use-case was that I'd like to share access to my rustypaste instance with a few select people. But sharing access tokens is somewhat a no-no, even though it is nothing critical and I know the people I'd give the token to anyway.
What do you think? Is this something that makes sense or is this an overkill?

I think it makes sense in the case that there are scopes and more features to have control over the files. For example, if you have an "admin" role, you can upload files with unlimited size but an "user" can only upload 10MB. Another example would be you'd have the power to delete files, etc.

Just for the sole purpose of sharing tokens with people, I think it could be implemented as an array in the config file. e.g. auth_tokens (we can keep the old option as auth_token)

I thought about a few ways to implement this. e.g. an optional config option access_token_file that points to a file, in which each line holds a token. Or an access_tokens array in the config.

Just answered that. 🐻

The question is whether to read that file into an array at start (and when the config is refreshed) or at request time. The latter is easy, but I don't like it due to perf implications, and the former might need a little bit of research on my part (due to memory locking and so on).

Let's not use a file dedicated for storing a list of tokens. We have the config file for a reason. I'm okay with that implementation if you decide to go with it!

[tessus]

Enabled discussions for the repo and converted this issue to a discussion!

Nice, thanks.

I think it makes sense in the case that there are scopes and more features to have control over the files. For example, if you have an "admin" role, you can upload files with unlimited size but an "user" can only upload 10MB. Another example would be you'd have the power to delete files, etc.

I thought about that too, but that might be an overkill. e.g. I don't know which files are on the server, unless an /admin endpoint is created with the ability to list/delete (and maybe even inspect) files. But this is a serious overkill IMO.
RBAC is awesome but I think rustypaste was never intended to be used this way, am I correct?

Just for the sole purpose of sharing tokens with people, I think it could be implemented as an array in the config file. e.g. auth_tokens (we can keep the old option as auth_token)

Nice, this is quite easy to do I think.

The only thing that should be clarified is the precedence. What happens if someone specifies both: auth_token and auth_tokens? Shall they be merged? Will one just override the other?

I'm okay with that implementation if you decide to go with it!

Cool, I will be looking into this in a few days. A feature for 0.12.0 then. ;-)

[orhun]

RBAC is awesome but I think rustypaste was never intended to be used this way, am I correct?

Yup, totally an overkill.

The only thing that should be clarified is the precedence. What happens if someone specifies both: auth_token and auth_tokens? Shall they be merged? Will one just override the other?

I think they can be merged 🐻

Cool, I will be looking into this in a few days. A feature for 0.12.0 then. ;-)

Neato, thanks!

[tessus]

It certainly is interesting - and slightly frustrating. ;-) I have spent about 6 hours in the last 2 days, but couldn't find anything. I have the feeling I am losing my sanity.
I am going to take a step back and not think about it for a few days. But I might post a topic in the Rust community forum.

I know that I am not a Rust programmer, but I do at least think I understood a bit of it. And this just doesn't make any sense. Why does the code I put on play work, but not the code in rustypaste? It's basically the same, except for actix Error types and 2 more arguments in the function that have nothing to do with the issue.

[orhun]

You might also try to create a post in the Rust subreddit.

I have the feeling I am losing my sanity.

Take it easy man 🐻

[tessus]

I created a topic in the Rust forum. Turns out that my code works just fine. But guess what. cargo test suppresses any output unless there is an error. So that is why the println statements didn't show up...

Well, lessons learned.

I'll add a few more tests and also fixtures and create a PR tomorrow evening.

[orhun]

Oooh, so the solution is to use --nocapture argument?

I'll add a few more tests and also fixtures and create a PR tomorrow evening.

Great! Thanks for looking into this 🐻 (btw I recently sponsored you on GitHub, I hope that helps a bit to ease the pain :D)

[tessus]

Oooh, so the solution is to use --nocapture argument?

Yep, if we want to see any output (stdout, stderr) for successful tests. But the statements were just for demonstration purposes anyway. I just thought the code was not properly executed because I didn't see the println statements. Duh, of course if they are suppressed. Haha.
Now I know.

I recently sponsored you on GitHub

Oh, wow, thanks. I have to check my emails. I missed the gh notification.

Btw, I got to it earlier than expected. I'll open a PR in the next few minutes.

[tessus]

I think we can close this discussion as resolved.