Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle API authentication errors for the API services #1034

Merged
merged 4 commits into from
Jan 16, 2025
Merged

Handle API authentication errors for the API services #1034

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9041d5e
Handle API authentication errors for the RM API
arahmarchak Dec 11, 2024
bf1fdb7
Handle API authentication errors for the AppEngine API
arahmarchak Jan 13, 2025
96822dc
Handle API authentication errors for the Housekeeping API
arahmarchak Jan 13, 2025
e7c1eb7
Handle API authentication errors for the Pairing API
arahmarchak Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 31 additions & 3 deletions apps/astarte_appengine_api/lib/astarte_appengine_api_web/controllers/fallback_controller.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -204,11 +204,39 @@ defmodule Astarte.AppEngine.APIWeb.FallbackController do
|> render(:"422_unexpected_object_key")
end

# Invalid authorized path
def call(conn, {:error, :invalid_auth_path}) do
conn
|> put_status(:unauthorized)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
|> render(:invalid_auth_path)
end

# This is called when no JWT token is present
def auth_error(conn, {:unauthenticated, reason}, _opts) do
_ =
Logger.info("Refusing unauthenticated request: #{inspect(reason)}.", tag: "unauthenticated")
def auth_error(conn, {:unauthenticated, :unauthenticated}, _opts) do
conn
|> put_status(:unauthorized)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
|> render(:missing_token)
end

# Invalid JWT token
def auth_error(conn, {:invalid_token, :invalid_token}, _opts) do
conn
|> put_status(:unauthorized)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
|> render(:invalid_token)
end

# Path not authorized
def auth_error(conn, {:unauthorized, :authorization_path_not_matched}, _opts) do
conn
|> put_status(:forbidden)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
|> render(:authorization_path_not_matched, %{method: conn.method, path: conn.request_path})
end

def auth_error(conn, {:unauthenticated, _reason}, _opts) do
conn
|> put_status(:unauthorized)
|> put_view(Astarte.AppEngine.APIWeb.ErrorView)
Expand Down
24 changes: 24 additions & 0 deletions apps/astarte_appengine_api/lib/astarte_appengine_api_web/views/error_view.ex
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,30 @@ defmodule Astarte.AppEngine.APIWeb.ErrorView do
%{errors: %{detail: "Forbidden"}}
end

def render("missing_token.json", _assigns) do
%{errors: %{detail: "Missing authorization token"}}
end

def render("invalid_token.json", _assigns) do
%{errors: %{detail: "Invalid JWT token"}}
end

def render("invalid_auth_path.json", _assigns) do
%{
errors: %{
detail: "Authorization failed due to an invalid path"
}
}
end

def render("authorization_path_not_matched.json", %{method: method, path: path}) do
%{
errors: %{
detail: "Unauthorized access to #{method} #{path}. Please verify your permissions"
}
}
end

def render("503_cannot_push_to_device.json", _assigns) do
%{errors: %{detail: "Cannot push to device"}}
end
Expand Down
170 changes: 113 additions & 57 deletions apps/astarte_appengine_api/priv/static/astarte_appengine_api.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -136,11 +136,9 @@ paths:
- 8ZxuSGkU7pggwoomJeXo9g
- k-IFKDPoVzIXUcFkF7U80A
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'/{realm_name}/devices/{device_id}':
parameters:
- name: realm_name
Expand Down Expand Up @@ -176,11 +174,9 @@ paths:
data:
$ref: '#/components/schemas/DeviceStatus'
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found
content:
Expand Down Expand Up @@ -221,11 +217,9 @@ paths:
'400':
description: Bad request
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found.
content:
Expand Down Expand Up @@ -272,11 +266,9 @@ paths:
data:
$ref: '#/components/schemas/DeviceStatus'
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found
content:
Expand Down Expand Up @@ -317,11 +309,9 @@ paths:
'400':
description: Bad request
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found.
content:
Expand Down Expand Up @@ -371,11 +361,9 @@ paths:
- com.test.foo
- com.test.bar
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Device not found.
content:
Expand Down Expand Up @@ -423,11 +411,9 @@ paths:
'200':
description: Success
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: Interface not found in introspection or device not found.
content:
Expand Down Expand Up @@ -525,11 +511,9 @@ paths:
'200':
description: Success
'401':
description: Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: >-
Path not found or interface not found in introspection or device not
Expand Down Expand Up @@ -588,11 +572,9 @@ paths:
'400':
description: Bad request
'401':
description: Realm doesn't exist or operation not allowed.
content:
'*/*':
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: >-
Endpoint not found or interface not found in introspection or device
Expand Down Expand Up @@ -650,11 +632,9 @@ paths:
'400':
description: Bad request
'401':
description: Realm doesn't exist or operation not allowed.
content:
'*/*':
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: >-
Endpoint not found or interface not found in introspection or device
Expand Down Expand Up @@ -710,11 +690,9 @@ paths:
'204':
description: Success
'401':
description: Realm doesn't exist or operation not allowed.
content:
'*/*':
schema:
$ref: '#/components/schemas/UnauthorizedError'
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
description: >-
Path not found or interface not found in introspection or device not
Expand Down Expand Up @@ -748,6 +726,8 @@ paths:
$ref: '#/components/responses/IndexGroups'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
post:
tags:
- groups
Expand All @@ -767,6 +747,8 @@ paths:
$ref: '#/components/responses/GroupCreated'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'422':
$ref: '#/components/responses/InvalidGroupConfig'
'/{realm_name}/groups/{group_name}':
Expand All @@ -788,6 +770,8 @@ paths:
$ref: '#/components/responses/GetGroup'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
$ref: '#/components/responses/GroupNotFound'
'/{realm_name}/groups/{group_name}/devices':
Expand All @@ -808,6 +792,8 @@ paths:
$ref: '#/components/responses/IndexGroupDevices'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
$ref: '#/components/responses/GroupNotFound'
post:
Expand All @@ -829,6 +815,8 @@ paths:
description: Success
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
$ref: '#/components/responses/GroupNotFound'
'422':
Expand All @@ -852,6 +840,8 @@ paths:
description: Device removed
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
'404':
$ref: '#/components/responses/GroupOrDeviceNotFound'
'/{realm_name}/stats/devices':
Expand All @@ -871,6 +861,8 @@ paths:
$ref: '#/components/responses/GetDevicesStats'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/AuthorizationPathNotMatched'
components:
securitySchemes:
JWT:
Expand Down Expand Up @@ -1000,11 +992,24 @@ components:
group_name:
- is invalid
Unauthorized:
description: Realm doesn't exist or operation not allowed.
description: Token/Realm doesn't exist or operation not allowed.
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/MissingTokenError'
- $ref: '#/components/schemas/InvalidTokenError'
- $ref: '#/components/schemas/InvalidAuthPathError'
- $ref: '#/components/schemas/UnauthorizedError'
AuthorizationPathNotMatched:
description: Authorization path not matched.
content:
application/json:
schema:
$ref: '#/components/schemas/UnauthorizedError'
type: object
properties:
data:
$ref: '#/components/schemas/AuthorizationPathNotMatchedError'
GroupNotFound:
description: Group not found
content:
Expand Down Expand Up @@ -1252,3 +1257,54 @@ components:
example:
errors:
detail: Unauthorized
MissingTokenError:
type: object
properties:
errors:
type: object
properties:
detail:
type: string
description: Short error description
example:
errors:
detail: Missing authorization token

InvalidTokenError:
type: object
properties:
errors:
type: object
properties:
detail:
type: string
description: Short error description
example:
errors:
detail: Invalid JWT token

InvalidAuthPathError:
type: object
properties:
errors:
type: object
properties:
detail:
type: string
description: Short error description
example:
errors:
detail: Authorization failed due to an invalid path

AuthorizationPathNotMatchedError:
type: object
properties:
errors:
type: object
properties:
detail:
type: string
description: Detailed error message including the method and path
example:
errors:
detail: Unauthorized access to GET /api/v1/some_path. Please verify your permissions
Loading
Loading