rafiki icon indicating copy to clipboard operation
rafiki copied to clipboard

Published 20 hours ago verified publisher icon interledger

Make sig validation not processed in dev mode

Open matdehaast opened this issue 3 years ago • 2 comments

If a user sets the Config.env = "dev" we should disable signature validation for incoming requests on the AS and the RS. For the AS we can remove the current mechanism we use to do that and rather just assume it from the mode.

This will make it initially much easier to work with Postman as we still need to add signature support to it

matdehaast avatar Oct 10 '22 11:10 matdehaast

@matdehaast wanted to add more context here.

I believe the current mechanism actually lives on the RS, since on an Open Payments requests you can just set authorization: GNAP dev-access-token, and it'll skip through the actual signature verification:

https://github.com/interledger/rafiki/blob/e2af7c2528fe4d2e7b614780d363882d845f0f5e/packages/backend/src/open_payments/auth/middleware.ts#L28-L34

However, what's a bit tricky here though is the fact that you can bypass sig verification, you still need to have signature and signature-input variables in the header (even if they are blank) as that checking is done inside the OpenAPI validation. I think we should keep that validation, but we should have the Postman collection include that on each of the requests.

https://github.com/interledger/rafiki/blob/e2af7c2528fe4d2e7b614780d363882d845f0f5e/packages/backend/src/app.ts#L332-L345

I don't believe there is anything to bypass signature validation on the AS side, however.

mkurapov avatar Oct 20 '22 15:10 mkurapov

I haven't been able to validate these changes locally, but added a draft pr (above) in case it helps move this forward. I'm very new to the dev environment so don't yet understand the ins-and-outs of as vs rs .. but am proposing a new environmental variable / config instead of Config.env = development because I can imagine many developers wanting to test with full signatures and only occasionally wanting to bypass it... but I may be wrong about this, having never actually got rafiki up and running...

mankins avatar Oct 21 '22 11:10 mankins

Ok, my dev problems were fixed, so I was able to run these tests locally and make some changes.

I'd love to some feedback to see if the approach is right and worth continuing to do the same thing for RS or if there's some other better way to do this.

I just saw @mkurapov 's comment above (missed it before) so maybe this PR can be closed, I'm still missing quite a bit of context, sorry about that.

mankins avatar Nov 02 '22 13:11 mankins

@mankins This is a good approach, I was just clarifying previously that the existing mechanism (with the dev-access-token) lives on the resource server side and not originally on the authorization server side.

I can take a look at the PR later tonight, and do some own testing too.

mkurapov avatar Nov 02 '22 13:11 mkurapov

dev-access-token helps the RS skip HTTP signature validation on client-RS requests. #683 will help the AS skip HTTP signature validation on client-AS requests.

wilsonianb avatar Nov 02 '22 17:11 wilsonianb

resolved by:

  • https://github.com/interledger/rafiki/pull/683 / https://github.com/interledger/rafiki/pull/735
  • https://github.com/interledger/rafiki/pull/741

wilsonianb avatar Nov 15 '22 19:11 wilsonianb