feat(server): add require authentication check

thinktecture · Nov 9, 2023 · 7ab8e1a · 7ab8e1a
1 parent 5d953a1
commit 7ab8e1a
Show file tree

Hide file tree

Showing 12 changed files with 693 additions and 8 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -185,6 +185,12 @@ a valid login to your IDP creates the tenant on the RelayServer. No cleanup mech
 available, thus automatically created tenants need to be manually deleted when they are
 not needed/wanted anymore.
 
+### Require authentication
+
+If a tenant has `RequireAuthentication` enabled in the database, the RelayServer only relays
+when the request contains an access token from it's own issuer and audience (e.g., it comes
+from a connector). In any other case it returns 401.
+
 ## Connector
 
 The `RelayConnectorOptions` type provides the main configuration for the connector. These

diff --git a/src/Directory.Build.props b/src/Directory.Build.props
@@ -8,7 +8,7 @@
     <Nullable>enable</Nullable>
 
     <VersionPrefix>3.0.0</VersionPrefix>
-    <VersionSuffix>alpha.5</VersionSuffix>
+    <VersionSuffix>alpha.6</VersionSuffix>
     <Version Condition="'$(BuildNumber)' != ''">$(VersionPrefix)-$(VersionSuffix)-$(BuildNumber)</Version>
 
     <!-- NuGet Package information -->

diff --git a/src/Thinktecture.Relay.Server.Abstractions/Persistence/Models/Tenant.cs b/src/Thinktecture.Relay.Server.Abstractions/Persistence/Models/Tenant.cs
@@ -27,6 +27,11 @@ public class Tenant
 	/// <remarks>The maximum length is 1000 unicode characters.</remarks>
 	public string? Description { get; set; }
 
+	/// <summary>
+	/// Enable the requirement that only an authenticated request can use this tenant to relay requests.
+	/// </summary>
+	public bool RequireAuthentication { get; set; }
+
 	/// <summary>
 	/// The normalized (e.g. ToUpperInvariant()) name of the tenant. Use this for case-insensitive comparison in the database.
 	/// </summary>

diff --git a/...ostgreSql/Migrations/ConfigurationDb/20231109143956_Add_RequireAuthentication.Designer.cs b/...ostgreSql/Migrations/ConfigurationDb/20231109143956_Add_RequireAuthentication.Designer.cs
diff --git a/...orkCore.PostgreSql/Migrations/ConfigurationDb/20231109143956_Add_RequireAuthentication.cs b/...orkCore.PostgreSql/Migrations/ConfigurationDb/20231109143956_Add_RequireAuthentication.cs
@@ -0,0 +1,26 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace Thinktecture.Relay.Server.Persistence.EntityFrameworkCore.PostgreSql.Migrations.ConfigurationDb
+{
+    public partial class Add_RequireAuthentication : Migration
+    {
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<bool>(
+                name: "RequireAuthentication",
+                table: "Tenants",
+                type: "boolean",
+                nullable: false,
+                defaultValue: false);
+        }
+
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "RequireAuthentication",
+                table: "Tenants");
+        }
+    }
+}
diff --git a/....EntityFrameworkCore.PostgreSql/Migrations/ConfigurationDb/RelayDbContextModelSnapshot.cs b/....EntityFrameworkCore.PostgreSql/Migrations/ConfigurationDb/RelayDbContextModelSnapshot.cs
@@ -217,6 +217,9 @@ protected override void BuildModel(ModelBuilder modelBuilder)
                         .HasMaxLength(100)
                         .HasColumnType("character varying(100)");
 
+                    b.Property<bool>("RequireAuthentication")
+                        .HasColumnType("boolean");
+
                     b.HasKey("NormalizedName");
 
                     b.HasIndex("ConfigTenantName");