flipt-io / flipt

Re: the following discussion

If using JWT auth AND a non-DB storage backend for flag state (ie OCI, Git, Local), then we shouldn't try to connect to a database as one isn't required.

Ideally we should try to figure out a way to make this more clear in the code without explicitly checking for JWT auth I think

Hello, I'm trying to understand how I can enable static token and continue using OCI! For what I've understood when using OCI the Database is not used/ignored and the Cache is "irrelevant" as everything is already in memory and a believe for static token it should have a persistent storage

This is not entirely true as if you do enable static token authentication it requires a database, and if you add cache this will definitely make the requests faster as we cache tokens for auth as well

We only don't require a database if you are using non-DB storage AND do not enable authentication:

flipt/internal/cmd/authn.go

Lines 51 to 60 in 7620fe8

    
           // NOTE: we skip attempting to connect to any database in the situation that either the git, local, or object 
        
           // FS backends are configured. 
        
           // All that is required to establish a connection for authentication is to either make auth required 
        
           // or configure at-least one authentication method (e.g. enable token method). 
        
           if !cfg.Authentication.Enabled() && (cfg.Storage.Type != config.DatabaseStorageType) { 
        
           	return grpcRegisterers{ 
        
           		public.NewServer(logger, cfg.Authentication), 
        
           		authn.NewServer(logger, storageauthmemory.NewStore()), 
        
           	}, nil, shutdown, nil 
        
           }

flipt/internal/cmd/authn.go

Line 79 in 7620fe8

store = storageauthcache.NewStore(store, cacher, logger)

Related to what @GeorgeMac said, you can use JWT auth without a database but our current check does not allow that actually:

flipt/internal/cmd/authn.go

Line 55 in 7620fe8

    
           if !cfg.Authentication.Enabled() && (cfg.Storage.Type != config.DatabaseStorageType) {

@GeorgeMac we should not try to connect to a DB if only the JWT auth method is used and non-DB storage is used

Originally posted by @markphelps in #2971 (comment)

_FLI-946

	// NOTE: we skip attempting to connect to any database in the situation that either the git, local, or object
	// FS backends are configured.
	// All that is required to establish a connection for authentication is to either make auth required
	// or configure at-least one authentication method (e.g. enable token method).
	if !cfg.Authentication.Enabled() && (cfg.Storage.Type != config.DatabaseStorageType) {
	return grpcRegisterers{
	public.NewServer(logger, cfg.Authentication),
	authn.NewServer(logger, storageauthmemory.NewStore()),
	}, nil, shutdown, nil
	}

[FLI-946] Don't require DB for auth if only using JWT and non-DB flag storage