Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handling authorization header #998

Closed
sensille opened this issue Jan 31, 2023 · 7 comments
Closed

Handling authorization header #998

sensille opened this issue Jan 31, 2023 · 7 comments

Comments

@sensille
Copy link

I'm building a jsonrpc server and like to handle the http authorization header. The handler itself has no access to the headers. I've seen that I can add a middleware handler which has access to the header, but I don't see a way how to pass that information (the authorized user) down to the jsonrpc handler. Is there an easy way to achieve this?
@lexnv
Copy link
Contributor

lexnv commented Jan 31, 2023

Hi,

If I understand correctly, you want to enable some authentication-based mechanisms before letting the RPC core handle your requests.

Indeed that could be achieved with a middleware:

pub struct AuthLayer {
   pub secret: String, // unsafe for example purposes only
}

impl AuthLayer {
  fn new(secret: String) -> Self ...
}

There are a few more examples here: https://docs.rs/tower-http/latest/tower_http/auth/struct.AddAuthorizationLayer.html, maybe the middleware that you want to implement is already there.

And here is a snippet how to integrate the middleware with our RPC

jsonrpsee/examples/examples/cors_server.rs

Lines 80 to 86 in a330dae

let cors = CorsLayer::new()
// Allow `POST` when accessing the resource
.allow_methods([Method::POST])
// Allow requests from any origin
.allow_origin(Any)
.allow_headers([hyper::header::CONTENT_TYPE]);
let middleware = tower::ServiceBuilder::new().layer(cors);

@sensille
Copy link
Author

Yes, I want to add an authorization layer. But I also have to pass the Information which user is authenticated to the rpc method handler.

@sensille
Copy link
Author

I found an example from tower_http::auth::AuthorizeRequest where the user is stored with

request.extensions_mut().insert(user_id);

But I assume I can´t access this from the handler.

@niklasad1
Copy link
Member

niklasad1 commented Feb 10, 2023
edited
Loading

You mean that you want to fetch the user info from the Authorization header and pass as input to rpc method call?

I think it should be possible to do something similar as we have to ProxyRequest, https://github.com/paritytech/jsonrpsee/blob/master/server/src/middleware/proxy_get_request.rs

Basically, read the data from the authorization header and an create a new RPC call with the authorization data as params which you then send as the HTTP request body (https://github.com/paritytech/jsonrpsee/blob/master/server/src/middleware/proxy_get_request.rs#L101-#L118)

@sensille
Copy link
Author

Thanks. Wouldn't that mean I have to parse the request, amend it, build a new request,which get parsed again? That seems a bit wasteful, if my understanding is correct. But I could solve it that way until direct header access is possible.

@niklasad1
Copy link
Member

Wouldn't that mean I have to parse the request, amend it, build a new request,which get parsed again? That seems a bit wasteful, if my understanding is correct

Yepp, you are right but if you really care about that overhead you can manage your own server and just use RpcMethods from jsonrpsee.

That's the trade-off right now.

@sensille
Copy link
Author

Thanks!

@niklasad1 niklasad1 mentioned this issue May 23, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sensille @niklasad1 @lexnv