Comments (6)
davetron5000
commented on May 27, 2024
The thinking was that a micro service would not have a ton of non-authed routes. The app you are referring too is a full stack app that exposes a microservice, which is a pattern we recommend against and that we should avoid. I think this is why your allow list is so complicated.
The simplest way I can think of to clean it up would be to accept an array of regexps:
configuration.allow_list = [
"/referrals/foo",
"/resque-web",
# etc.
]and then wrap those with %r{\a{#val}\Z} or something.
I'm not understanding how this plays into the need to store the api client in the environment that. Those should be totally separate concerns from what is allowed/denied.
from stitches.
TildeWill
commented on May 27, 2024
I think this is why your allow list is so complicated.
Correct. The team is taking steps to move to the recommended architecture in this specific case.
The simplest way I can think of to clean it up would be to accept an array of regexps:
configuration.allow_list = [ "/referrals/foo", "/resque-web", # etc. ]and then wrap those with
%r{\a{#val}\Z}or something.
That would be a big improvement in readability within the Stitches initializer within an app and would address some of the pain. But the discoverability of the allow_list is still pretty poor when you're rolling in to an application and trying to understand why some endpoints give you a 401 and others don't. I want to move API auth to a place that is closer to where someone might look, such as in routes.rb or in the controller.
from stitches.
davetron5000
commented on May 27, 2024
Yeah, the allow list was added kinda hastily as we realized we needed a way to easily opt out some routes from authβI would agree it's a "thing about routing" and thus kinda belongs in the routes file (thus your point that it's more discoverable). The main "feature" I would want to keep is "auth by default", i.e if you add a route in config/routes.rb in "the normal Rails Way" it should require auth. I think a routing constraint could do this?
from stitches.
TildeWill
commented on May 27, 2024
I think a routing constraint could do this?
Correct.
What it can't do is set the client on the response as is currently happening here:
stitches/lib/stitches/api_key.rb
Lines 44 to 45 in 80231b3
from stitches.
davetron5000
commented on May 27, 2024
It might not need to, but to leave the api_key middleware in would require two lookups to the api client per request. I guess the proposed routing constraint could simply check for the existence of the key in the header and handle the allow list and we keep the middleware the same? I dunno, we'll have to think this through.
from stitches.
TildeWill
commented on May 27, 2024
I'll put a PR together to give us something concrete to point to
from stitches.
Related Issues (20)
- Use failure_message instead of failure_message_for_should HOT 1
- Header override HOT 1
- Failure message on fresh install and rspec run. HOT 5
- Find a way to run the generator in a test HOT 1
- ApiClients should be de-activatable HOT 3
- Set up CI HOT 2
- Remove Unused Middleware HOT 2
- Error for have_api_error always says 422
- Consider integrating easymon for monitoring HOT 1
- Gem release tasks HOT 1
- Generate migrations through Rails not template files HOT 1
- License missing. MIT? HOT 4
- Issue with model validation and controller valid? check HOT 6
- White-list "complex" route HOT 1
- Root route always unauthorized HOT 1
- Version is missing in the response headers HOT 10
- Deprecation warning in Rails 6 HOT 1
- Uninitialized constant Api::V1 in debug HOT 3
- Use expect instead of should syntax for all specs given by generator HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from stitches.