-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into mt-test-avdefs-newenv
- Loading branch information
Showing
96 changed files
with
1,816 additions
and
979 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Third Party API Access | ||
|
||
## Overview | ||
In order to make a request to the API, users (3rd party and non) need to be authenticated (signed in) and authorized (have permission to make a particular request). Non 3rd party users are both authenticated and authorized with Cognito. While 3rd party users will be able to authenticate with cognito, authorization will happen separately that we can grant them longer term credentials for authorization. | ||
|
||
## Process for 3rd Parties to Use the MC-Review API | ||
|
||
1. 3rd party is authenticated (signs on) | ||
2. 3rd party requests a JWT | ||
3. 3rd party uses the JWT to make a request to the MC-Review API | ||
4. Request is sent to `v1/graphql/external` via the `graphql` API gateway endpoint, which invokes the lambda authorizer | ||
5. The lambda authorizer, `third_party_api_authorizer`, verifies the JWT that the 3rd party sent with their request. If the JWT is valid (valid user, and not expired) the lambda returns an “allow” policy document, otherwise it returns a “deny”. This policy determines if the request can proceed. | ||
6. When authorization is successful the user ID that was granted the JWT is used to fetch a full user record from postgres. This is user is then a part of the context for the resolver. | ||
|
||
## JWT Security | ||
Like previously mentioned, third parties will need to have a valid JWT in order to access the MC-Review API. More can be found on JWT security [here](api-jwt-security.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
import { ok, err } from 'neverthrow' | ||
import type { Store } from '../postgres' | ||
import { lookupUserAurora } from './cognitoAuthn' | ||
import { initTracer, recordException } from '../../../uploads/src/lib/otel' | ||
|
||
export async function userFromThirdPartyAuthorizer( | ||
store: Store, | ||
userId: string | ||
) { | ||
// setup otel tracing | ||
const otelCollectorURL = process.env.REACT_APP_OTEL_COLLECTOR_URL | ||
if (!otelCollectorURL || otelCollectorURL === '') { | ||
const errMsg = | ||
'Configuration Error: REACT_APP_OTEL_COLLECTOR_URL must be set' | ||
throw errMsg | ||
} | ||
|
||
const serviceName = 'third-party-authorizer' | ||
initTracer(serviceName, otelCollectorURL) | ||
|
||
try { | ||
// Lookup user from postgres | ||
const auroraUser = await lookupUserAurora(store, userId) | ||
if (auroraUser instanceof Error) { | ||
return err(auroraUser) | ||
} | ||
|
||
if (auroraUser === undefined) { | ||
return err(auroraUser) | ||
} | ||
|
||
return ok(auroraUser) | ||
} catch (e) { | ||
const err = new Error('ERROR: failed to look up user in postgres') | ||
|
||
recordException(err, serviceName, 'lookupUser') | ||
throw err | ||
} | ||
} |
Oops, something went wrong.