Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass HTTP auth secrets using v2 manifest format #203

Merged
merged 16 commits into from
May 29, 2024
Merged

Pass HTTP auth secrets using v2 manifest format #203

merged 16 commits into from
May 29, 2024

Conversation

mattjohnsonpint
Copy link
Member

@mattjohnsonpint mattjohnsonpint commented May 29, 2024
edited
Loading

  • Uses v2 manifest format
  • Handles auth secrets in all outbound HTTP calls
  • Pre-caches all secrets for the backend at startup, and monitors for changes
  • Misc refactoring and cleanup
  • Update readme file

Completes HYP-1207

@linear Linear
Copy link

linear bot commented May 29, 2024

HYP-1207 Host authentication needs serious improvement

Currently we support a single "API Key" for each host. We allow the user to enter it in the console, we save it to Secrets Manager, and we assign it to a header on outbound requests where the header is specified by authToken in the manifest.

This is very limiting, as there are many different kinds of authentication schemes used by APIs. Many APIs pass tokens on the url query string, or in the request body, or other locations. Some require more complex short-lived tokens to be generated on the fly, etc.

Even with the current approach it's not ideal for the user because they have to include the entire header - not just their auth token. For example, if using GitHub API, if your token is "abc123" you have to enter "BEARER abc123", in the console. The auth scheme should be separate from the token.

For APIs that use HTTP Basic authentication, they need a username and password - both of which should be secret. We then have to compose the Authorization header according to RFC 7617. i.e, Authorization: Basic <base64(<username>:<password>)>.

APIs that require short-lived JWTs may need some support for generating them based on other credentials (private keys, etc.)

We should break this out into several items to support each auth scheme, and work from the user backwards. ie., start from the function, through to the runtime, then the manifest, and ultimately the console.

@mattjohnsonpint mattjohnsonpint marked this pull request as draft May 29, 2024 01:13
@mattjohnsonpint mattjohnsonpint marked this pull request as ready for review May 29, 2024 01:24
@mattjohnsonpint mattjohnsonpint requested a review from jairad26 May 29, 2024 01:33
@mattjohnsonpint mattjohnsonpint merged commit 952a8ac into main May 29, 2024
4 checks passed
@mattjohnsonpint mattjohnsonpint deleted the mjp/http-secrets branch May 29, 2024 02:57
@sentry-io Sentry.io
Copy link

sentry-io bot commented May 29, 2024
edited
Loading

Suspect Issues

This pull request was deployed and Sentry observed the following issues:

  • ‼️ Error: environment variable HYPERMODE_METADATA_DB was not found hmruntime/db in Initialize View Issue
  • ‼️ Error: operation error Secrets Manager: ListSecrets, https response error StatusCode: 400, RequestID: 13... hmruntime/secrets in (*awsSecretsProvider).moni... View Issue

Did you find this useful? React with a 👍 or 👎

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jairad26 jairad26 jairad26 approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mattjohnsonpint @jairad26