#4736 Improvements to auth testing #4919
Conversation
|
Deploy preview for hasura-docs ready! Built with commit d862afb |
|
Review app for commit 85a4d1b deployed to Heroku: https://hge-ci-pull-4919.herokuapp.com |
85a4d1b to
a8bcd7b
Compare
|
Review app for commit a8bcd7b deployed to Heroku: https://hge-ci-pull-4919.herokuapp.com |
a8bcd7b to
fa2589f
Compare
|
Review app for commit fa2589f deployed to Heroku: https://hge-ci-pull-4919.herokuapp.com |
|
@0x777 @rakeshkky bump for review |
abooij
left a comment
There was a problem hiding this comment.
I've gone through the code, and most of my feedback relates to the comments, namely the motivation of the code. I think this PR improves on the quality of the authentication and of the testing that we do, and so my feedback is just an attempt to help it one small step further.
I should add that I can't say that I'm convinced that the authentication code is correct. We'd need to significantly rework how authentication is done, so that more correctness properties can be obvious from the type system alone, rather than the right checks and guards being in place. It should be possible to write an API which encapsulates authentication using compile-time guarantees, and additionally works by a "whitelisting" approach rather than blacklisting access using ifs and cases. But I won't ask this to be done now.
@0x777 I did my best to review this, but for such an important topic I'd like your input on this as well, at least to judge if you think there are any weak spots in my analysis.
Store the admin secret only as a hash to prevent leaking the secret inadvertently, and to prevent timing attacks on the secret. NOTE: best practice for stored user passwords is a function with a tunable cost like bcrypt, but our threat model is quite different (even if we thought we could reasonably protect the secret from an attacker who could read arbitrary regions of memory), and bcrypt is far too slow (by design) to perform on each request. We'd have to rely on our (technically savvy) users to choose high entropy passwords in any case. Referencing hasura#4736
The bulk of changes here is some shifting of code around and a little parameterizing of functions for easier testing. Also: comments, some renaming for clarity/less-chance-for-misue.
fa2589f to
5e37350
Compare
|
Thanks for the review @abooij ! Addressed comments in latest |
|
Review app for commit 5e37350 deployed to Heroku: https://hge-ci-pull-4919.herokuapp.com |
|
Review app for commit d862afb deployed to Heroku: https://hge-ci-pull-4919.herokuapp.com |
|
Review app https://hge-ci-pull-4919.herokuapp.com is deleted |
Description
One minor user-facing change. The second commit is just a refactor for ease of unit testing (and as a consequence, better code organization hopefully)
Changelog
CHANGELOG.mdis updated with user-facing content relevant to this PR.Affected components
Related Issues
#4736 ... it's not clear if this is sufficient to close that issue
Solution and Design
Simple factoring out of tricky bits to make unit tests of core auth logic possible. This would also be the first step towards more clever solutions like e.g. having a JWT transformer/effect, but I don't think that gives us much.
Steps to test and verify
Limitations, known bugs & workarounds
Server checklist
Catalog upgrade
Does this PR change Hasura Catalog version?
Metadata
Does this PR add a new Metadata feature?
run_sqlauto manages the new metadata through schema diffing?run_sqlauto manages the definitions of metadata on renaming?export_metadata/replace_metadatasupports the new metadata added?GraphQL
Breaking changes
No Breaking changes
There are breaking changes:
Metadata API
Existing
querytypes:argspayload which is not backward compatibleJSONschemaGraphQL API
Schema Generation:
NamedTypeSchema Resolve:-
nullvalue for any input fieldsLogging
JSONschema has changedtypenames have changed