[MP restserver] Add access control to APIs
SwordFaith opened this issue · comments
Introduction
Use username and token info, to verify user identity. #210 work item 2
Issues / Motivations
Currently, /items, /items/{itemId}, /storage/blobs api lack auth check.
Proposals / Solutions
Implement a middleware to handle check auth logic.
Work Plan
- Implement middleware to check user auth by /tokens/check api or /users/{username} api
- Add check auth to /items
- Add check auth to /items/{itemId}
- Add check auth to /storage/blobs
Demo
Test cases
- get /items test
- correct username and token, get all item can be viewed by user
- correct username and wrong token, 401 unauth
- wrong username and correct token or wrong token, 404 user not found (not a separate logic for username in body)
- post /items test
- correct username, token and job yml, 200 and item id
- correct username, token and wrong job yml, 405 invalid input
- correct username and wrong token, 401 unauth
- wrong username and correct token or wrong token, 404 user not found
- get /items/{itemId} test
- correct username, token and auth, get the item info
- correct username, token and no auth, 403 forbidden
- correct username and wrong token, 401 unauth
- wrong username and correct token or wrong token, 404 user not found
- put /items/{itemId} test
- correct username, token, auth and job yml, 200 ok
- correct username, token and no auth, 403 forbidden
- correct username, token, auth and wrong job yml, 405 invalid input
- correct username and wrong token, 401 unauth
- wrong username and correct token or wrong token, 404 user not found
- delete /items/{itemId} test
- correct username, token and auth, 200 ok
- correct username, token and no auth, 403 forbidden
- correct username and wrong token, 401 unauth
- wrong username and correct token or wrong token, 404 user not found
- get /storage/blobs test
- admin user, correct token, 200 and blobs info
- admin user, wrong token, 401 unauth
- normal user, correct token, 403 forbidden
- normal user, wrong token, 401 unauth
- unknown user, wrong or correct token, 404 user not found
- post /storage/blobs test
- admin user, correct token, correct blob, 201 and blob id
- admin user, correct token, wrong blob, 400 and validation error
- admin user, wrong token, 401 unauth
- normal user, correct token, 403 forbidden
- normal user, wrong token, 401 unauth
- unknown user, wrong or correct token, 404 user not found
For access to no permission items, I prefer to return 404.
I think GitHub has same scenarios.