Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Sofie Core Groups with Trusted header SOFIE-95 #11

Merged
merged 1 commit into from
Nov 26, 2024

Conversation

Julusian
Copy link
Collaborator

This is a hacky proof-of-concept on header based authentication flow.

For now using the dnt header, as that gets passed through to meteor.

When a ddp connection is opened, it checks the header, and if its not a valid value, it closes the connection. This may not be wanted, as it means this can't be bypassed within nginx, and breaks development.

Then a new meteor method is added, which allows for asking the backend what 'user level' to show in the ui. This is crudely slotted into existing logic, it needs to be redone properly. It also should consider re-checking the value whenever the ddp connection reopens, to allow for invalidating permissions.

The enum may want to be changed, to match the granular system used in the frontend.

But this works, I can run through nginx with proxy_set_header dnt "admin"; and the settings button appears, or change that to proxy_set_header dnt "studio"; and it disappears (and for some reason sofie won't let me run a studio in this mode..)

We should consider that nrkno#1241 is coming in release52, which removes the existing meteor user based auth. So when finishing this, it might be beneficial to pull in parts of that to avoid making this cooperate with code that is about to disappear.

@Julusian
Copy link
Collaborator Author

Reactivity isn't perfect within the ui, but this now behaves fairly sensibly.
The various scattered checks for permissions have been centralised to a react context. This context is updated on a 30s poll to meteor, which reports the permissions. This is a horrible hack and should be replaced with something more intelligent.
But this means that if I change the header set in nginx, and restart it (to force connections to be dropped), then after reconnecting, and the poll re-runs, the ui updates to reflect the new permissions (mostly, some bits need to be forced to remount)

This portion (minus the polling) could be contributed upstream on its own, as it is fairly standalone and would be useful for anyone else wanting to redo permissions within the ui

@Julusian Julusian changed the base branch from bbc-release51-3 to release51 September 20, 2024 14:48
@Julusian
Copy link
Collaborator Author

Julusian commented Sep 20, 2024

This is very much battling how meteor wants auth to work, but I have a hack which sets the userId of a ddp connection when it is opened based off the headers.
And an working poc of using the userId to them check if a user is allowed to edit the studio.

@Julusian Julusian changed the base branch from release51 to bbc-release52 October 15, 2024 11:31
@Julusian Julusian force-pushed the feat/header-based-roles branch 2 times, most recently from b755f81 to daa4956 Compare November 5, 2024 14:03
@Julusian Julusian changed the title SOFIE-95 - Sofie Core Groups with Trusted header POC SOFIE-95 - Sofie Core Groups with Trusted header Nov 5, 2024
@Julusian Julusian marked this pull request as ready for review November 6, 2024 12:33
@Julusian Julusian changed the title SOFIE-95 - Sofie Core Groups with Trusted header feat: Sofie Core Groups with Trusted header SOFIE-95 Nov 26, 2024
@Julusian Julusian merged commit 761ff58 into bbc-release52 Nov 26, 2024
61 of 62 checks passed
@Julusian Julusian deleted the feat/header-based-roles branch November 26, 2024 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant