router icon indicating copy to clipboard operation
router copied to clipboard

Published 20 hours ago • verified publisher icon apollographql

feat: ignore other auth prefixes

Open lleadbet opened this issue 1 year ago • 2 comments

This PR enables the JWT plugin to ignore other auth prefixes other than the one defined in the configuration. As to not break existing uses, this is defaulting to be false.

This enables multiple Authorization schemes to be supported, although other schemes would need to be handled in either Rhai or a coprocessor to be used with the AuthN plugin.

Checklist

Complete the checklist (and note appropriate exceptions) before the PR is marked ready-for-review.

  • [x] Changes are compatible[^1]
  • [x] Documentation[^2] completed
  • [ ] Performance impact assessed and acceptable
  • Tests added and passing[^3]
    • [x] Unit Tests
    • [ ] Integration Tests
    • [ ] Manual Tests

Exceptions

Empty prefixes will not be affected by this change as there is no prefix to ignore.

Notes

[^1]: It may be appropriate to bring upcoming changes to the attention of other (impacted) groups. Please endeavour to do this before seeking PR approval. The mechanism for doing this will vary considerably, so use your judgement as to how and when to do this. [^2]: Configuration is an important part of many changes. Where applicable please try to document configuration examples. [^3]: Tick whichever testing boxes are applicable. If you are adding Manual Tests, please document the manual testing (extensively) in the Exceptions.

lleadbet avatar Feb 22 '24 16:02 lleadbet

CI performance tests

  • [ ] reload - Reload test over a long period of time at a constant rate of users
  • [ ] events_big_cap_high_rate_callback - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity using callback mode
  • [ ] events_without_dedup_callback - Stress test for events with a lot of users and deduplication DISABLED using callback mode
  • [ ] large-request - Stress test with a 1 MB request payload
  • [x] const - Basic stress test that runs with a constant number of users
  • [ ] no-graphos - Basic stress test, no GraphOS.
  • [ ] step-jemalloc-tuning - Clone of the basic stress test for jemalloc tuning
  • [ ] events - Stress test for events with a lot of users and deduplication ENABLED
  • [ ] events_callback - Stress test for events with a lot of users and deduplication ENABLED in callback mode
  • [ ] events_big_cap_high_rate - Stress test for events with a lot of users, deduplication enabled and high rate event with a big queue capacity
  • [ ] events_without_dedup - Stress test for events with a lot of users and deduplication DISABLED
  • [ ] xxlarge-request - Stress test with 100 MB request payload
  • [ ] xlarge-request - Stress test with 10 MB request payload
  • [x] step - Basic stress test that steps up the number of users over time

router-perf[bot] avatar Feb 22 '24 16:02 router-perf[bot]

If this option exists and is set to true, doesn't that mean that an attacker could bypass JWT authentication by simply setting another prefix? I know that the burden of responsibility then lies on the user to perform that authentication, but it still bothers me that the config is providing this open door as part of our JWT scheme. I feel like we need to document somewhere in big RED LETTERS what the implications of using this are.

I agree. It's definitely a fine line to tread, but some folks do bearer for jwts, basic for token-based, or any mix.

If we could in the future have the plugin do auth schemes based on prefixes (e.g. bearer is now the JWT plugin) that might solve for some of the concern.

And to be honest- the changing of headers would still be applicable for any other system that does auth. We (SAs) still highly recommend validating the token in the subgraph regardless.

Going to flag up to sec and see what they say, however.

lleadbet avatar Feb 23 '24 14:02 lleadbet