Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authx - Add APIv4 support for creating and validating credentials #26044

Merged
merged 8 commits into from
May 8, 2023
Merged

Authx - Add APIv4 support for creating and validating credentials #26044

merged 8 commits into from
May 8, 2023

Conversation

totten
Copy link
Member

@totten totten commented Apr 11, 2023

Overview

Add APIv4 actions for creating login credentials (as JWT) and validating login credentials (without actually logging in).

(Builds on @seamuslee001's #25992. But it makes several changes -- I'm posting under diff PR# so we can pick/discuss if some are more interesting or controversial than others.)

Before

N/A

After

Defines API AuthxCredential.create, as in:

cv api4 AuthxCredential.create contactId=203
[
    {
        "cred": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6IndkcHZGZEZyNFZHWGdiNnNnMXVPLXlsck9NZyJ9.eyJleHAiOjE2ODExOTI0NzQsInN1YiI6ImNpZDoyMDMiLCJzY29wZSI6ImF1dGh4In0.6RHP5f54O3bfzN3dLYd9VpL8uTBPC_FSKJWhq7cSJdo"
    }
]

Defines API AuthxCredential.validate, as in:

cv api4 -U validate-user AuthxCredential.validate checkPermissions=1 cred="$(cv api4 -IU auth-user AuthxCredential.create contactId=203 checkPermissions=1)"
[
    {
        "flow": "script",
        "credType": "jwt",
        "jwt": {
            "exp": 1681192121,
            "sub": "cid:203",
            "scope": "authx"
        },
        "useSession": false,
        "userId": 1,
        "contactId": "203"
    }
]

Technical Details

For r-run, I used this setup script:

drush -y role-create auth-role
drush -y role-create validate-role
drush -y rap auth-role 'access CiviCRM,generate any authx credential'
drush -y rap validate-role 'access CiviCRM,validate any authx credential'

drush -y user-create --password="demo" --mail="auth-user@example.com" "auth-user"
drush -y user-create --password="demo" --mail="validate-user@example.com" "validate-user"
drush -y user-add-role auth-role auth-user
drush -y user-add-role validate-role validate-user

And then these example commands (note: they're long - scroll horizontally):

echo 'http://dmaster.bknix:8001/civicrm/dashboard?_authxSes=1&_authx='$(cv api4 -IU auth-user AuthxCredential.create contactId=203 checkPermissions=1)

echo 'http://dmaster.bknix:8001/civicrm/dashboard?_authxSes=1&_authx='$(cv api4 -IU validate-user AuthxCredential.create contactId=203 checkPermissions=1)

cv api4 -U validate-user AuthxCredential.validate checkPermissions=1 cred="$(cv api4 -IU auth-user AuthxCredential.create contactId=203 checkPermissions=1)"

seamuslee001 and others added 8 commits April 3, 2023 15:08
@seamuslee001
[REF] Add in new JWT Entity with Create and Validate methods to permi…
cdcd2f7 
…t creation and validation of JWTs via the API
@totten
authx - Rename "JWT" API to "AuthxCredential"
94e678c
@totten
authx - Rename new permission (generate JWT => generate any authx cre…
8529e85 
…dential)
@totten
AuthxCredential.create - Multiple changes
3ccf780 
* Fix type of `$ttl`
* Make `$ttl` default visible
* Don't expose `scope` until there's clearer goal
* Return a credential instead of bare token
@totten
AuthxCredential.validate - Multiple changes
4ee3a38 
* Fix crash for undefined reference to `AuthenticatorTarget`
    * This is a private class.
* Expect a credential instead of bare token
* Fix types on setter/getter
* Accept optional `$flow`. Make default visible.
@totten
AuthxCredentialTest - Update test to match recent changes
9cdd83a
@totten
authx - Define permission "validate any authx credential"
5913bdc
@totten
AuthxCredentialTest - Speed-up test for expired token handling
d37ef75
@civibot
Copy link

civibot bot commented Apr 11, 2023

(Standard links)

@civibot civibot bot added the master label Apr 11, 2023
@seamuslee001
Copy link
Contributor

@totten I think this works for me and I'll work to incorporate it into the extension I am writing but I think this can be merged now

@seamuslee001 seamuslee001 merged commit 3af8f62 into civicrm:master May 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
master
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@totten @seamuslee001