fix: three types of auth

TheGreatAlgo · TheGreatAlgo · commit 65d33e76ddd6 · 2025-03-14T20:42:20.000-04:00
diff --git a/.github/workflows/run-checks.yaml b/.github/workflows/run-checks.yaml
@@ -25,7 +25,6 @@ jobs:
           run_daemon: true
         id: ipfs_setup
 
-
       - name: Install and configure Nginx
         run: |
           # Install Nginx
@@ -38,10 +37,28 @@ jobs:
               listen 5002;
               server_name localhost;
 
+              # Default deny unless authenticated
+              set \$auth_valid 0;
+
               location /api/v0/ {
                   # Enforce X-API-Key for API key auth
-                  if (\$http_x_api_key != "test") {
-                      return 401 "Unauthorized: Invalid or missing X-API-Key";
+                  if (\$http_x_api_key = "test") {
+                      set \$auth_valid 1;
+                  }
+
+                  # Check Bearer token
+                  if (\$http_authorization = "Bearer test") {
+                      set \$auth_valid 1;
+                  }
+
+                  # Check Basic Auth (test:test = dGVzdDp0ZXN0)
+                  if (\$http_authorization = "Basic dGVzdDp0ZXN0") {
+                      set \$auth_valid 1;
+                  }
+
+                  # Deny if no valid auth method
+                  if (\$auth_valid = 0) {
+                      return 401 "Unauthorized: Invalid or missing authentication";
                   }
 
                   # Proxy to IPFS RPC API
diff --git a/tests/test_zarr_ipfs.py b/tests/test_zarr_ipfs.py
@@ -169,33 +169,44 @@ def test_authenticated_gateway(random_zarr_dataset: tuple[str, xr.Dataset]):
     xr.testing.assert_identical(loaded_ds, expected_ds)
 
     # # Test with just bearer_token key
-    # hamt = HAMT(
-    #     store=IPFSStore(           
-    #         # api_key="test",
-    #         # basic_auth=("test", "test"),
-    #         bearer_token="test",
-    #     ),
-    #     transformer_encode=encrypt,
-    #     transformer_decode=decrypt,
-    # )
-    # test_ds.to_zarr(store=hamt, mode="w")
-
-    # hamt.make_read_only()
-    # loaded_ds = xr.open_zarr(store=hamt)
-    # xr.testing.assert_identical(loaded_ds, expected_ds)
+    hamt = HAMT(
+        store=IPFSStore(           
+            bearer_token="test",
+        ),
+        transformer_encode=encrypt,
+        transformer_decode=decrypt,
+    )
+    test_ds.to_zarr(store=hamt, mode="w")
 
+    hamt.make_read_only()
+    loaded_ds = xr.open_zarr(store=hamt)
+    xr.testing.assert_identical(loaded_ds, expected_ds)
 
-    # Test with wrong API Key
+    # # Test with just basic auth
     hamt = HAMT(
-        store=IPFSStore(      
-            rpc_uri_stem = "http://127.0.0.1:5002",     
-            api_key="badKey",
+        store=IPFSStore(           
+            basic_auth=("test", "test"),
         ),
         transformer_encode=encrypt,
         transformer_decode=decrypt,
     )
+    test_ds.to_zarr(store=hamt, mode="w")
+
+    hamt.make_read_only()
+    loaded_ds = xr.open_zarr(store=hamt)
+    xr.testing.assert_identical(loaded_ds, expected_ds)
+
+
+    # Test with wrong API Key
     with pytest.raises(Exception):
-        test_ds.to_zarr(store=hamt, mode="w")
+        hamt = HAMT(
+            store=IPFSStore(      
+                rpc_uri_stem = "http://127.0.0.1:5002",     
+                api_key="badKey",
+            ),
+            transformer_encode=encrypt,
+            transformer_decode=decrypt,
+        )
 
     # Now trying to load without a decryptor, xarray should be able to read the metadata and still perform operations on the unencrypted variable
     print("Attempting to read and print metadata of partially encrypted zarr")
