Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

authenticate grails server with GitHub - so users only see what they are doing and only allow some to do upload #39

Closed
7 of 20 tasks
nathandunn opened this issue Feb 5, 2021 · 18 comments · Fixed by #46
Closed
7 of 20 tasks

Comments

@nathandunn
Copy link
Collaborator

nathandunn commented Feb 5, 2021

  • link GitHub and Google to certain roles (can set default roles only(
  • test securing rest controller (make sure we can send jwt token across)
  • test access using React client

  • hard-code admin users in
  • integrate same within Xena server depending on the page
  • add "Login to Upload" button
  • bootstrap default users and roles
  • have a "user" popup for admins to promote to admins / or just have default admins
  • when getting the initial app-state need to return the max-role

  • logged in users can upload GMT files with limit of 50
  • Allow users to delete their own
  • Users may only see their own
  • They CAN share private links, though
  • user uploaded should show up as "(user XXX) . . . gmt name"

Follow: https://guides.grails.org/grails-oauth-google/guide/index.html (and) https://github.com/nathandunn/grails-oauth-google


https://grails-plugins.github.io/grails-spring-security-rest/latest/docs/#_google


This uses google for Outh2 as below here. This is actually using the REST plugin:

https://plugins.grails.org/plugin/grails/spring-security-rest

https://guides.grails.org/grails-oauth-google/guide/index.html

https://github.com/grails-guides/grails-oauth-google/tree/master/complete


Authorize REST version for login:

https://grails-plugins.github.io/grails-spring-security-rest/latest/docs/

good example of how to do the providers with Spring Boot:

https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/

@nathandunn nathandunn changed the title authenticate grails server authenticate grails server - so users only see what they are doing Feb 5, 2021
@nathandunn nathandunn changed the title authenticate grails server - so users only see what they are doing authenticate grails server - so users only see what they are doing and only allow some to do upload Feb 16, 2021
@nathandunn nathandunn changed the title authenticate grails server - so users only see what they are doing and only allow some to do upload authenticate grails server with GitHub - so users only see what they are doing and only allow some to do upload Feb 16, 2021
@nathandunn
Copy link
Collaborator Author

nathandunn commented Feb 19, 2021


  • integrate same within Xena server depending on the page
  • add "login" button

@nathandunn
Copy link
Collaborator Author

nathandunn commented Feb 19, 2021

@nathandunn
Copy link
Collaborator Author

Note for https://github.com/nathandunn/grails4-multiple-oauth-example this almost works.

We need to be able to specify that some users are "ADMIN" and some are not, regardless of their role. I think what happens, is that all users end up being secured in the same way and we use a separate permission service to check particular users.

@nathandunn
Copy link
Collaborator Author

This needs to be replicated using a REST-full controller with React

@nathandunn
Copy link
Collaborator Author

Potentially I need to add the OauthID to the Person object and provide grails.plugin.springsecurity.oauth2.domainClass = 'com.insilico.dmc.OAuthID'

However, its unclear.

@nathandunn
Copy link
Collaborator Author

curl api call:

curl -v -H 'Accept: application/json' -H "Cookie: jwt=" http://localhost:8080/api/

@nathandunn
Copy link
Collaborator Author

Almost working but react-google-login uses a different token strategy when decoding (i.e., not MAC512, but RS 256) so completely different, though maybe can be transcoded?

Going to use the googleapis oauth2 client instead to get a potentially more consistent token . . .

@nathandunn
Copy link
Collaborator Author

nathandunn commented Feb 25, 2021

{
  "alg": "RS256",
  "kid": "fed80fec56db99233d4b4f60fbafdbaeb9186c73",
  "typ": "JWT"
}

vs

{
  "alg": "HS256"
}

Also note, this is how you add extractors to pull out users with Spring Boot (less sure about Grails, but may not be necessary):

https://medium.com/@bvulaj/mapping-your-users-and-roles-with-spring-boot-oauth2-a7ac3bbe8e7f

https://github.com/eugenp/tutorials/blob/master/spring-security-modules/spring-5-security-oauth/src/main/java/com/baeldung/oauth2extractors/ExtractorsApplication.java

@nathandunn
Copy link
Collaborator Author

Even if we can do other than we can only verify with HS256. Noted here: grails/grails-spring-security-rest#490

@nathandunn
Copy link
Collaborator Author

nathandunn commented Feb 25, 2021

So grails does not support this explicitly. Not sure fix version. Options:

1. authenticate against API directly using a redirect and refresh back with a returned JWT key
2. use auth0 which allows Auth0 and provides a plugin with Grails that does this already
3. provide an API token if authenticated . . . still hard for an open-source tool to use
4. make all uploads ephemeral for non-logged in users and limit users? or just limit security

Will try 1, shoot for 2, and then do 4.

@nathandunn
Copy link
Collaborator Author

Finally will need to map to a domain class at some point as well.

For 1 it is problematic as it comes back as an httponly cookie, which I think is a good thing, but then not rebroadcast as part of the axis request.

@nathandunn
Copy link
Collaborator Author

nathandunn commented Feb 25, 2021

Because the domain is not (and will not be shared likely), we can't share the httpOnly cookie (even if just different ports).

Definitely possible to put them on the same domain, but a different path. however, not sure if that would work either. As HS256 is less than preferred, especially for open-source, may look to another model.

@nathandunn
Copy link
Collaborator Author

@nathandunn
Copy link
Collaborator Author

@nathandunn
Copy link
Collaborator Author

nathandunn commented Feb 25, 2021

Probably the easiest thing to do would be to login the front and then use https://github.com/jwtk/jjwt#jws-key-rsa to verify the key: https://github.com/jwtk/jjwt#verification-key

@nathandunn
Copy link
Collaborator Author

nathandunn commented Feb 25, 2021

  • confirm token is JWT
  • attempt to decode accessToken on server
  • integrate within the repo

@nathandunn nathandunn mentioned this issue Feb 26, 2021
12 tasks
nathandunn added a commit that referenced this issue Feb 27, 2021
* added initial user data

* updating user requests

* automatially bootstraps users

* used more formal parsing

* admins bootstrapped and updated

* updated

* added proper fields

* updated

* added proper private versus public list calls

* added is public

* added user

* added shared user

* monior cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant