Authentication on custom data routes

Stian_Strom · February 27, 2025, 8:34am

I've created a gateway-scoped module that has some data endpoints set up using mountRoutes in the GatewayHook.

I need to secure these endpoints so that only authenticated users can GET/POST data to them. I've looked into the restrict-method of the RouteMounter, and this works well when accessing the endpoints from a logged-in session on the gateway.

To begin with I need to be able to call the endpoints from Perspective views as well. These views are locked down. Is there a way to pass the credentials of the logged-in user to the endpoint?

bmusson · February 27, 2025, 12:47pm

You can pretty easily retrieve a WebAuthStatus by looking up a Perspective client’s session id with from the session monitor.

// Embr-SSE PerspectiveAuthRequest.kt
    override fun getSecurityContext(context: EventStreamGatewayContext): SecurityContext {
        return context.perspectiveContext?.run {
            logger.trace("Attempting to find Perspective Session {}...", sessionId)
            return sessionMonitor
                .findSession(UUID.fromString(sessionId))
                .map {
                    logger.trace("Perspective Session {} found.", it.sessionId)
                    SecurityContext.fromSecurityLevels(it.webAuthStatus.securityLevels)
                }
                .orElse(null)
        } ?: SecurityContext.emptyContext()
    }

pturmel · February 27, 2025, 12:56pm

If a request comes from a Perspective session, the HttpSession will contain a perspective-session attribute of type PerspectiveSessionCollection. That object has a .findProjectSession which leads you to its .getWebAuthStatus(), to be used like the gateway's base auth status.

You will need to make your module depend on Perspective in order to be able to use those types.

bmusson · February 27, 2025, 12:58pm

Ooh, that’s cool!

pturmel · February 27, 2025, 12:59pm

Blob server uses that infra to honor a Named Query's security. There are some nuances to unauth sessions that fall into a security zone that I don't actually handle correctly. (I reject them.) You may need to poke around a bit.

Stian_Strom · February 27, 2025, 1:06pm

Thanks, I'll have a look

pturmel · February 27, 2025, 1:15pm

You may need to use ScriptContext.defaultProject(). I don't see an obvious way to identify the request's origin project from the PSC. (In the Blob server, I make the user supply it in the URL.)

PGriffith · February 27, 2025, 3:37pm

N.B. that authentication on routes is one of the API breaking changes in 8.3.0; you now can provide either an AccessControlStrategy (broadly similar to RouteAccessControl) or specify a PermissionType and automatically get (at time of writing) web UI, auth token, and security zone based access control:

        /**
         * Adds an access control strategy to this route. If multiple access controls strategies are added,
         * only one must pass for the request to be allowed. In other words, the strategies are combined with an OR.
         * Use {@link AccessControlStrategy#OPEN_ROUTE} to allow all requests.
         * <p>
         * If no access control strategy is added, the route will always be denied.
         */
        RouteMounter accessControl(AccessControlStrategy accessControl);

        /**
         * Adds access control strategies to this route that will require that the permissions required for the
         * given access type are possessed by the calling client.
         */
        RouteMounter requirePermission(PermissionType permissionType);