Use JWT verifier in API server

[neekolas]

Summary by CodeRabbit

• New Features

  • Added JWT-based authentication to the API server.
  • Introduced conditional JWT verification for server initialization.

• Improvements

  • Enhanced server authentication capabilities.
  • Enabled flexible JWT verification across different server configurations.

[coderabbitai]

Walkthrough

The changes introduce JWT-based authentication to the API server infrastructure. Modifications span multiple files in the pkg directory, focusing on enhancing the server initialization process. A new parameter jwtVerifier is added to the NewAPIServer function, allowing for conditional creation of authentication interceptors. The startAPIServer function is updated to initialize this verifier, and the test setup is modified to incorporate JWT verification, enhancing the server's authentication capabilities.

Changes

File	Change Summary
pkg/api/server.go	Updated NewAPIServer function signature to include jwtVerifier parameter; added conditional logic for creating authentication interceptors.
pkg/server/server.go	Added jwtVerifier variable initialized based on replication settings; passed JWT verifier to API server during initialization.
pkg/testutils/api/api.go	Imported authn package; created jwtVerifier using authn.NewRegistryVerifier in test API server setup.

Sequence Diagram

sequenceDiagram
    participant Config as Server Configuration
    participant APIServer as API Server
    participant JWTVerifier as JWT Verifier
    participant Interceptors as Authentication Interceptors

    Config->>APIServer: Initialize with optional JWTVerifier
    alt JWTVerifier is not nil
        APIServer->>JWTVerifier: Verify JWT
        JWTVerifier-->>Interceptors: Create Unary/Stream Interceptors
        Interceptors->>APIServer: Attach Authentication Interceptors
    else JWTVerifier is nil
        APIServer->>APIServer: Proceed without authentication
    end

Loading

The sequence diagram illustrates the conditional JWT verification process during API server initialization, showing how the JWT verifier is optionally used to create authentication interceptors.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d553971 and aef0090.

📒 Files selected for processing (3)

• pkg/api/server.go (3 hunks)
• pkg/server/server.go (2 hunks)
• pkg/testutils/api/api.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/testutils/api/api.go
• pkg/server/server.go
• pkg/api/server.go

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[neekolas]

• Use JWT verifier in API server #365 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[neekolas]

Payer APIs can't use the JWT verifier, since they aren't a valid audience for the token, so it's optional

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

pkg/server/server.go (1)

208-213: Conditional JWT verifier creation
Creating the jwtVerifier only if replication is enabled is appropriate, minimizing resource usage. Double-check that you cover other operational modes if they also need JWT.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a1f6462 and d553971.

📒 Files selected for processing (3)

• pkg/api/server.go (3 hunks)
• pkg/server/server.go (2 hunks)
• pkg/testutils/api/api.go (3 hunks)

🔇 Additional comments (10)

pkg/testutils/api/api.go (3)

14-14: Good import usage for JWT validation
Bringing in authn is a solid move toward centralized and testable JWT verification logic.

---

82-83: Validate and test the JWT verifier
It's good to see jwtVerifier being instantiated with authn.NewRegistryVerifier. Ensure that mockRegistry is properly configured for unit tests so the verifier produces valid tokens during local test runs.

---

113-113: Consistent parameter passing
The addition of jwtVerifier to api.NewAPIServer aligns with the new authentication flow. This maintains clarity and a straightforward integration path for JWT-based security.

pkg/api/server.go (5)

10-12: Relevant imports for authentication interceptors
These imports indicate usage of JWT verification and custom interceptors. Ensure no duplication of coverage in other packages to keep dependencies concise.

---

46-46: Augmented server constructor
Incorporating jwtVerifier into the API server's signature is a clean approach. Confirm existing call sites are updated to provide the parameter (or nil) as needed to avoid runtime errors.

---

73-79: Interceptor arrays extracted
Declaring interceptor slices prior to grpc.ChainUnaryInterceptor/ChainStreamInterceptor is a clean pattern. This change also clarifies future expansions (e.g. new interceptors).

---

80-84: Conditional JWT interceptor initialization
Properly checks for a non-nil jwtVerifier, limiting overhead when authentication is disabled. This approach is efficient and maintains clear separation of concerns.

---

Line range hint 220-220: Ensure external references match
Passing jwtVerifier here is key. Confirm that consumers of this constructor are aware of the new parameter so they can supply either a valid verifier or nil as needed.

pkg/server/server.go (2)

11-13: Imports for resolver logic
Including authn and retaining mlsvalidate remains consistent with the new integrated security approach. Consider removing unused imports (if any) to keep the package lean.

---

220-220: Param passing for optional authentication
jwtVerifier neatly extends api.NewAPIServer. Validate that replication or other features relying on JWT are exercised in integration tests to confirm token flows are correct.