-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce auth token type
when checking authentication headers in requests
#1300
Comments
I now suspect we can never drop support for |
I reviewed draft-dcook-ppm-dap-interop-test-design and it turns out it already specifies I'm repurposing this issue to track making Janus consult the |
DAP-Auth-Token
headertype
when checking authentication headers in requests
If some task accepts an `AuthenticationToken::DapAuth`, it should not be possible to present its value as an `AuthenticationToken::Bearer` and have it be accepted (or vice versa, should a Bearer token happen to also be a legal `DAP-Auth-Token` value). This was already the case because we evaluate tokens using `AuthenticationToken::eq`, but this commit adds a test to explicitly verify this. While we're in here, improve a doccomment to explain that `AuthenticationToken::DapAuth` complies with the interop testing framework as well as the now-obsolete `draft-ietf-ppm-dap-01`, and add a constant for the collection job route to match the ones for aggregation jobs and aggregate shares. Closes #1300
If some task accepts an `AuthenticationToken::DapAuth`, it should not be possible to present its value as an `AuthenticationToken::Bearer` and have it be accepted (or vice versa, should a Bearer token happen to also be a legal `DAP-Auth-Token` value). This was already the case because we evaluate tokens using `AuthenticationToken::eq`, but this commit adds a test to explicitly verify this. While we're in here, improve a doccomment to explain that `AuthenticationToken::DapAuth` complies with the interop testing framework as well as the now-obsolete `draft-ietf-ppm-dap-01`, and add a constant for the collection job route to match the ones for aggregation jobs and aggregate shares. Closes #1300
The
task_aggregator_auth_tokens
andtask_collector_auth_tokens
tables now have atype
column explicitly indicating what kind of token it is. This should be enforced when checking authentication in a request. For instance, if a request contains a headerDAP-Auth-Token: <token>
, it should not validate against a stored token withtype = 'BEARER'
even if the token values match.In #472 we're moving to checking for a bearer token in anAuthorization
HTTP header in Janus' DAP implementation (the aggregator API already does this). At some point, we should stop checking theDAP-Auth-Token
header.The text was updated successfully, but these errors were encountered: