Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Multi-Tenant] Use http-signatures to determine tenant identity during requests #2928

Open
2 tasks
Tracked by #2893
njlie opened this issue Aug 30, 2024 · 0 comments
Open
2 tasks
Tracked by #2893

[Multi-Tenant] Use http-signatures to determine tenant identity during requests #2928

njlie opened this issue Aug 30, 2024 · 0 comments
Labels
pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package.

Comments

@njlie
Copy link
Contributor

njlie commented Aug 30, 2024
edited
Loading

During tenanted Admin GraphQL requests, the server should leverage the existing http-signature signing scheme to determine if the requester is a particular tenant. This should be achieved through the following:

  • GraphQL requests should be augmented with a tenantId in the header.
  • A middleware on the Admin GraphQL server should use this header to retrieve the apiSecret on the associated entry in the tenants table.
  • This middleware should then construct a signature with the apiSecret it retrieved and either accept or reject the request based on if the signature is valid.
  • If the request is accepted, the subsequent business logic should use the tenantId provided in the header as part of its input.

We might want to also allow signatures generated using the ADMIN_API_SECRET environment variable to be used as valid authentication, as way for operators to identify themselves.

  • Update Admin API middleware to expect tenantId in header during request
  • Update Admin API middleware to call signature verification method that constructs signature from a tenant's apiSecret, throw if invalid

Prerequisites:
@github-project-automation github-project-automation bot moved this to Backlog in Rafiki Aug 30, 2024
@njlie njlie mentioned this issue Aug 30, 2024
Open
33 tasks
@njlie njlie added pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package. labels Oct 18, 2024
@njlie njlie changed the title Create API Key or long-lived session token for Admin API [Multi-Tenant] Create API Key or long-lived session token for Admin API Nov 19, 2024
@njlie njlie changed the title [Multi-Tenant] Create API Key or long-lived session token for Admin API [Multi-Tenant] Use http-signatures to determine tenant identity during requests Nov 19, 2024
This was referenced Nov 19, 2024
Closed
Open
Open
Open
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pkg: backend Changes in the backend package. pkg: frontend Changes in the frontend package.
Projects
Rafiki
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@njlie