Skip to content

Add JWT generation for API server authentication#170

Merged
avalerio-tkd merged 9 commits into
mainfrom
av_auth_server_07
Nov 30, 2025
Merged

Add JWT generation for API server authentication#170
avalerio-tkd merged 9 commits into
mainfrom
av_auth_server_07

Conversation

@avalerio-tkd

Copy link
Copy Markdown
Collaborator
  • Adding module to read credentials on API server side via application keys.
  • Adding endpoint on API server to wire the /auth endpoint
  • Generates session JWTs for API client calls to the DBPS server.

@argmarco-tkd argmarco-tkd left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM. Left a couple of comments, no need for a new PR when/if addressed.

Comment thread src/server/auth_utils.h Outdated

// Note for Protegrity integration:
// - This is a simplified Authentication module used to complete the client integration.
// - It is fully functional, but for production deployment a fully pledged Identity Provider can be used instead.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: I think you mean 'fledged' (instead of 'pledged')

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Comment thread src/server/auth_utils.h Outdated
// - It is fully functional, but for production deployment a fully pledged Identity Provider can be used instead.
//
// TODO: Expand explanation below.
// - Note that no Arrow codebase changes would be needed to replace this with a fully pledged Identity Provider

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same typo as above.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done

Comment thread src/server/dbps_api_server.cpp Outdated
const std::string credentials_file_path = "credentials.json"; // Default path
if (!credential_store.init(credentials_file_path)) {
std::cout << "Warning: Failed to load credentials file: " << credentials_file_path << std::endl;
std::cout << "Server will continue to run, but credentials will not be validated." << std::endl;

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be a hard fail - instead of a soft fail where all requests may end up being rejected.

@avalerio-tkd avalerio-tkd Nov 30, 2025

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done. Moved it to a hard fail

Comment thread src/server/dbps_api_server.cpp Outdated
});

// Authentication endpoint - POST /auth
CROW_ROUTE(app, "/auth").methods("POST"_method)([&credential_store](const crow::request& req) {

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: is /auth standard? meaning? from where I sit, /auth may mean "give me permissions" or "please verify my permissions".

I'm OK to keep as is - mainly a question.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've used it like that in the past, but we can rename if it's confusing.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Renamed the endpoint to /token for clarity

Comment thread src/server/auth_utils.cpp Outdated

@argmarco-tkd argmarco-tkd left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@avalerio-tkd

avalerio-tkd commented Nov 30, 2025

Copy link
Copy Markdown
Collaborator Author

@argmarco-tkd thanks for the review. Added the JWT verification on the /encrypt and /decrypt endpoints. Could you PTAL?

Comment thread src/server/auth_utils.cpp Outdated
void ClientCredentialStore::init(const std::map<std::string, std::string>& credentials) {
credentials_.clear();
credentials_ = credentials;
skip_credential_check_ = false; // Default: check credentials

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: why in negative? :) (again, a nit)

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Will update that.

@argmarco-tkd argmarco-tkd left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - thanks for this!

@avalerio-tkd

Copy link
Copy Markdown
Collaborator Author

@argmarco-tkd made a bit of rework to hide the details of the authentication params from the library users to make any future changes more clean. There aren't functionality changes, but just in case, if you want to take another look. If not, I'll merge after retesting it.

Thanks for the reviews!

- Add JWT secret key to command line options.
@avalerio-tkd
avalerio-tkd merged commit c55d22a into main Nov 30, 2025
2 checks passed
@avalerio-tkd
avalerio-tkd deleted the av_auth_server_07 branch November 30, 2025 19:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants