Credentials module doesn't validate required endpoints

[andacata]

The platforms may require some endpoints to be available on the other platform.

I'm requesting proposals for approaches to implement it.

[lilgallon]

What do you mean exactly ? As of now, endpoints are secured by the implementation of Http4TransportServer. Example here:

ocpi-toolkit/ocpi-toolkit-2.2.1/src/test/kotlin/com/izivia/ocpi/toolkit/samples/common/Http4kTransportServer.kt

Lines 62 to 64 in 6f0acea

	.also { httpRequest ->
	if (secured) runBlocking { secureFilter(httpRequest) }
	}

The secureFilter is that method in HttpUtils:

ocpi-toolkit/ocpi-toolkit-2.2.1/src/main/kotlin/com/izivia/ocpi/toolkit/common/HttpUtils.kt

Lines 261 to 284 in 6f0acea

	suspend fun PartnerRepository.checkToken(
	httpRequest: HttpRequest
	) {
	val token = httpRequest.parseAuthorizationHeader()
	/**
	* From OCPI 2.2.1 doc:
	* When a server receives a request with a valid CREDENTIALS_TOKEN_A, on another module than: credentials or
	* versions, the server SHALL respond with an HTTP 401 - Unauthorized status code.
	*
	* So, we allow token A only if we are in this case.
	*/
	val allowTokenA = httpRequest.path.contains("versions") ||
	httpRequest.path.contains("/{versionNumber}") ||
	httpRequest.path.contains("credentials")
	val validToken = (allowTokenA && isCredentialsTokenAValid(token)) ||
	isCredentialsServerTokenValid(token)
	if (!validToken) {
	throw OcpiClientInvalidParametersException("Invalid server token (token A allowed: $allowTokenA): $token")
	}
	}

The secured boolean is set to true by default in transportServer.handle().

ocpi-toolkit/transport/src/main/kotlin/com/izivia/ocpi/toolkit/transport/TransportServer.kt

Lines 17 to 24 in 6f0acea

	suspend fun handle(
	method: HttpMethod,
	path: List<PathSegment>,
	queryParams: List<String> = emptyList(),
	secured: Boolean = true,
	filters: List<(request: HttpRequest) -> Unit> = emptyList(),
	callback: suspend (request: HttpRequest) -> HttpResponse
	)

It is used by every OCPI module server implementation. Example in LocationsCpoServer.kt :

ocpi-toolkit/ocpi-toolkit-2.2.1/src/main/kotlin/com/izivia/ocpi/toolkit/modules/locations/LocationsCpoServer.kt

Lines 39 to 51 in 6f0acea

	transportServer.handle(
	method = HttpMethod.GET,
	path = basePathSegments + listOf(
	VariablePathSegment("locationId")
	)
	) { req ->
	req.httpResponse {
	service
	.getLocation(
	locationId = req.pathParams["locationId"]!!
	)
	}
	}

[andacata]

Oh, sorry. I'm talking about the required endpoints from the other platform. From the documentation:

7.1.6. Required endpoints not available
When two platforms connect, it might happen that one of the platforms expects a certain endpoint to be available at the other platform.
For example: a Platform with a CPO role could only want to connect when the CDRs endpoint is available in an platform with an eMSP role.
In case the Sender (starting the credentials exchange process) cannot find the endpoints it expects, it is expected NOT to send the POST request with credentials to the Receiver. Log a message/notify the administrator to contact the administrator of the Receiver platform.
In case the Receiver platform that cannot find the endpoints it expects, then it is expected to respond to the request with the status code 3003.

[lilgallon]

For that to be implemented, we would need to add a nullable parameter that would be something like "expectedEndpoints". If this is set, during client registration, we need to stop it if the expected endpoints are not available on the receiver