Giters

microsoft / openpaimarketplace

A marketplace which stores examples and job templates of openpai. Users could use openpaimarketplace to share their jobs or run-and-learn others' sharing job.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[MP restserver] Add access control to APIs

SwordFaith opened this issue · comments

commented

Introduction

Use username and token info, to verify user identity. #210 work item 2
/itemsAPI

Issues / Motivations

Currently, /items, /items/{itemId}, /storage/blobs api lack auth check.

Proposals / Solutions

Implement a middleware to handle check auth logic.

Work Plan

  • Implement middleware to check user auth by /tokens/check api or /users/{username} api
  • Add check auth to /items
  • Add check auth to /items/{itemId}
  • Add check auth to /storage/blobs

Demo

Test cases

  • get /items test
    • correct username and token, get all item can be viewed by user
    • correct username and wrong token, 401 unauth
    • wrong username and correct token or wrong token, 404 user not found (not a separate logic for username in body)
  • post /items test
    • correct username, token and job yml, 200 and item id
    • correct username, token and wrong job yml, 405 invalid input
    • correct username and wrong token, 401 unauth
    • wrong username and correct token or wrong token, 404 user not found
  • get /items/{itemId} test
    • correct username, token and auth, get the item info
    • correct username, token and no auth, 403 forbidden
    • correct username and wrong token, 401 unauth
    • wrong username and correct token or wrong token, 404 user not found
  • put /items/{itemId} test
    • correct username, token, auth and job yml, 200 ok
    • correct username, token and no auth, 403 forbidden
    • correct username, token, auth and wrong job yml, 405 invalid input
    • correct username and wrong token, 401 unauth
    • wrong username and correct token or wrong token, 404 user not found
  • delete /items/{itemId} test
    • correct username, token and auth, 200 ok
    • correct username, token and no auth, 403 forbidden
    • correct username and wrong token, 401 unauth
    • wrong username and correct token or wrong token, 404 user not found
  • get /storage/blobs test
    • admin user, correct token, 200 and blobs info
    • admin user, wrong token, 401 unauth
    • normal user, correct token, 403 forbidden
    • normal user, wrong token, 401 unauth
    • unknown user, wrong or correct token, 404 user not found
  • post /storage/blobs test
    • admin user, correct token, correct blob, 201 and blob id
    • admin user, correct token, wrong blob, 400 and validation error
    • admin user, wrong token, 401 unauth
    • normal user, correct token, 403 forbidden
    • normal user, wrong token, 401 unauth
    • unknown user, wrong or correct token, 404 user not found
commented

For access to no permission items, I prefer to return 404.
I think GitHub has same scenarios.