Disable signature auth (#1148)

src/seer/json_api.py

@@ -82,18 +82,20 @@ def decorator(
 
  @inject
  def wrapper(config: AppConfig = injected) -> Any:
- raw_data = request.get_data()
+ # raw_data = request.get_data()
  auth_header = request.headers.get("Authorization", "")
 
+ # if auth_header.startswith("Rpcsignature "):
  # Optional for now during rollout, make this required after rollout.
  if auth_header.startswith("Rpcsignature "):
- parts = auth_header.split()
- if len(parts) != 2 or not compare_signature(
- request.url, request.args.get("nonce", ""), raw_data, parts[1]
- ):
- raise Unauthorized(
- f"Rpcsignature did not match for given url {request.url} and data"
- )
+ # parts = auth_header.split()
+ # if len(parts) != 2 or not compare_signature(
+ # request.url, request.args.get("nonce", ""), raw_data, parts[1]
+ # ):
+ # raise Unauthorized(
+ # f"Rpcsignature did not match for given url {request.url} and data"
+ # )
+ pass
  elif auth_header.startswith("Bearer "):
  token = auth_header.split()[1]
  try:
@@ -118,11 +120,6 @@ def wrapper(config: AppConfig = injected) -> Any:
  sentry_sdk.capture_exception(e)
  print(e)
  raise InternalServerError("Something went wrong with the Bearer token auth")
- elif not config.IGNORE_API_AUTH and config.is_production:
- logger.warning(f"Found unexpected authorization header: {auth_header}")
- raise Unauthorized(
- "Neither Rpcsignature nor a Bearer token was included in authorization header!"
- )
 
  # Cached from ^^, this won't result in double read.
  data = request.get_json()

tests/test_json_api.py

@@ -1,6 +1,7 @@
 from unittest.mock import patch
 
 import jwt
+import pytest
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from flask import Blueprint, Flask
@@ -81,25 +82,6 @@ def my_endpoint(request: DummyRequest) -> DummyResponse:
  assert response.status_code == 401
  assert b"Invalid token" in response.data
 
- # Test missing Authorization header
- response = test_client.post("/v0/some/url", json={"thing": "thing", "b": 12})
- assert response.status_code == 401
- assert (
- b"Neither Rpcsignature nor a Bearer token was included in authorization header!"
- in response.data
- )
-
- # Test incorrect Authorization header format
- headers = {"Authorization": "InvalidFormat token"}
- response = test_client.post(
- "/v0/some/url", json={"thing": "thing", "b": 12}, headers=headers
- )
- assert response.status_code == 401
- assert (
- b"Neither Rpcsignature nor a Bearer token was included in authorization header!"
- in response.data
- )
-
 
 def test_json_api_auth_not_enforced():
  app = Flask(__name__)
@@ -183,6 +165,34 @@ def my_endpoint(request: DummyRequest) -> DummyResponse:
  assert b"Token has expired" in response.data
 
 
+def test_json_api_signature_strict_mode_ignores_rpcsignature():
+ app = Flask(__name__)
+ blueprint = Blueprint("blueprint", __name__)
+ test_client = app.test_client()
+
+ @json_api(blueprint, "/v0/some/url")
+ def my_endpoint(request: DummyRequest) -> DummyResponse:
+ return DummyResponse(blah="do it")
+
+ app.register_blueprint(blueprint)
+
+ headers = {}
+ payload = {"thing": "thing", "b": 12}
+ path = "/v0/some/url"
+ status_code_watcher = change_watcher(
+ lambda: test_client.post(path, json=payload, headers=headers).status_code
+ )
+
+ with Module() as injector:
+ injector.get(AppConfig).JSON_API_SHARED_SECRETS = ["secret-one", "secret-two"]
+
+ with status_code_watcher as changed:
+ headers["Authorization"] = "Rpcsignature rpc0:some-token"
+
+ assert changed.result == 200
+
+
+@pytest.mark.skip(reason="Disable auth")
 def test_json_api_signature_strict_mode():
  app = Flask(__name__)
  blueprint = Blueprint("blueprint", __name__)