examples: add auth+acl example like we do in some of our apis

[pkieltyka]

No description provided.

[hugows]

I'd love to understand how to go about this: do I add some kind of token on every method?

service ExampleService
  - Ping(token: string)
  - Status(token: string) => (status: bool)
  - GetUserByID(token: string, userID: uint64) => (user: User)
  - IsOnline(token: string, user: User) => (online: bool)
  - ListUsers(token: string, q?: UsersQueryFilter) => (page: uint32, users: []User)

[pkieltyka]

I don't have any sample code, but keep in mind webrpc-gen just code-generates the server code as a standard http.Handler interface. Meaning you can use any of Go's standard http middleware, or whatever the respective target you're building for (ie. nodejs).

For a go server, you can use https://github.com/goware/jwtauth for an auth key, then write yourself a custom "ACL" middleware handler that checks the r.URL.Path, parse the /rpc/:service/:method and then make up the rules you want to the auth token depending on the method permission. I suggest to use the r.Context() (request context) to add the user account, and their role-level, then in your final rpc method such as GetUserByID, you can access this context data out of the ctx first parameter. If the request makes it to this method, you know they have some sort of permission, otherwise it should 401/403 before reaching this endpoint. For fine-grained control, just fetch the user/role off the context and then determine based on the kind of arguments what is permitted.

Thats it.

Once you have this structure setup in your workflow, its extremely easy to add support for other methods, and to manage controls. The ACL code should be quite small too.

[ottob]

Thanks for a very nice project!

On the client side, is the preferred way to pass the auth token in the headers parameter in the service call?:
private = (headers?: object): Promise<PrivateReturn> => {

Like so:

const headers = {
   Authorization: `Bearer ${await currentUser.getIdToken()}`,
}
const resp = await api.private(headers)

[pkieltyka]

@ottob that certainly works, but also since the generated api accepts a fetch method as an argument, you can actually wrap it and add additional functionality, such as automatically setting the jwt. See for instance the example below which is some code I've pulled out from one of my projects

export * from './api.gen'

import { ArcadeumAPI as BaseArcadeumAPI } from './api.gen'

export class ArcadeumAPI extends BaseArcadeumAPI {
  jwtAuth: string | undefined = undefined

  constructor(hostname: string) {
    super(hostname, window.fetch)
    this.fetch = this._fetch
  }

  _fetch = (input: RequestInfo, init?: RequestInit): Promise<Response> => {
    return new Promise<Response>((resolve, reject) => {
      // automatically include jwt auth header to requests
      // if its been set on the api client
      const headers = {}
      if (this.jwtAuth && this.jwtAuth.length > 0) {
        headers['Authorization'] = `BEARER ${this.jwtAuth}`
      }

      // before the request is made
      init!.headers = { ...init!.headers, ...headers }
  
      window.fetch(input, init).then(resp => {
        // after the request has been made..
        resolve(resp)
      }).catch(err => {
        // request error
        reject(err)
      })
    })
  } 
}

[ottob]

Great! Im new to js/ts but that helps a lot, thanks.

[ottob]

I tried using your code now but got an error on this line: this.fetch = this._fetch

Property 'fetch' is private and only accessible within class 'MyService'. ts(2341)

Have you patched your gen.ts file so fetch is protected instead? Or am I missing something obvious?

edit: I'm using typescript 3.9.7