feat(api-keys): add read_only field to api-keys #3554
Conversation
bodymindarts
requested review from
nicolasburtey and
vindard
and removed request for
nicolasburtey
bodymindarts
force-pushed
the
read-only-keys
branch
from
2453428 to
4a17276
Compare
bodymindarts
changed the title
| return resolve(parent, args, context, info) | ||
| } | ||
|
|
||
| return mapError(new AuthorizationError("not authorized to read transactions")) | ||
| return mapError(new AuthorizationError("not authorized to read data")) |
There was a problem hiding this comment.
I'm assuing if we have a read_only, the alternative is a read+write token, so I don't think there is a scenario currently in which we are not authorized to read?
There was a problem hiding this comment.
Theoretically when logging into dashboard someone may just select 'Offline' scope - though that is unlikely as we are skipping that step in production.
There was a problem hiding this comment.
I think we can remove the offline for now btw, we don't need a refresh token for our current use case. I was using it when developing on hydra to get a deeper understanding of hydra and oauth2
| } | ||
|
|
||
| if (scope.find((s) => s === ScopesOauth2.PaymentsSend) !== undefined) { | ||
| if (scope.find((s) => s === ScopesOauth2.Write) !== undefined) { |
There was a problem hiding this comment.
will we get an otel span propagate with the scope of the request?
There was a problem hiding this comment.
They should be added here but I can't seem to find the information in the query https://github.com/GaloyMoney/galoy/blob/b87bfcd1539d35045551b1457ba478f8841041e2/core/api/src/servers/graphql-main-server.ts#L82
| @@ -87,7 +87,7 @@ | |||
| mutators: | |||
| - handler: id_token | |||
| config: #! TODO: add aud: {"aud": ["https://api/graphql"] } | |||
| claims: '{"sub": "{{ print .Subject }}", "session_id": "{{ print .Extra.id }}", "expires_at": "{{ print .Extra.expires_at }}", "scope": "{{ print .Extra.scope }}", "client_id": "{{ print .Extra.client_id }}" }' | |||
| claims: '{"sub": "{{ print .Subject }}", "session_id": "{{ print .Extra.id }}", "expires_at": "{{ print .Extra.expires_at }}", "scope": "{{ print .Extra.scope }}", "client_id": "{{ print .Extra.client_id }}"}' | |||
There was a problem hiding this comment.
is there a way to know if a request comes from an API token versus kratos or hydra?
There was a problem hiding this comment.
I don't believe we currently have a clear differentiation ATM.
There was a problem hiding this comment.
I think we should definitively have that (as a follow up PR)
Co-authored-by: Siddharth <siddharth@debian.siddharth>
No description provided.