Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client security doesn't work with v3 of the spec #556

Closed
Tracked by #518
KhudaDad414 opened this issue Oct 30, 2023 · 9 comments · Fixed by #588
Closed
Tracked by #518

Client security doesn't work with v3 of the spec #556

KhudaDad414 opened this issue Oct 30, 2023 · 9 comments · Fixed by #588
Assignees
@Souvikns
Labels
bug Something isn't working released

Comments

@KhudaDad414
Copy link
Member

Describe the bug

Consider this AsyncAPI file:

asyncapi: 3.0.0
info:
  title: Slack Websocket API
  version: 1.0.0
servers:
  OpenAI:
    host: api.openai.com
    protocol: https
    security:
      - $ref: "#/components/securitySchemes/openAI"
.
.
.
components:
  securitySchemes:
    openAI:
      type: http
      scheme: bearer

when I use this asyncapi file with the following auth function:

export async function clientAuth({ parsedAsyncAPI, serverName }) {
  return {token: process.env.CHAT_API}
}

I get the following error:

x Cannot read properties of undefined (reading 'json')
    at file:....dist/lib/wsHttpAuth.js:31:78
    at Array.map (<anonymous>)
    at GleeAuth.checkClientAuthConfig (file://...dist/lib/wsHttpAuth.js:26:63)
    at GleeAuth.<anonymous> (file:///....dist/lib/wsHttpAuth.js:148:35)
    at Generator.next (<anonymous>)
    at fulfilled (file://....dist/lib/wsHttpAuth.js:4:58)

How to Reproduce

Creat an http client and try to use the bearer authentication method.

Expected behavior

It should authenticate the client as expected.

cc: @oviecodes
@KhudaDad414 KhudaDad414 added the bug Something isn't working label Oct 30, 2023
@oviecodes
Copy link
Contributor

I'll take a look at it @KhudaDad414 .

@Souvikns
Copy link
Member

Souvikns commented Nov 1, 2023
edited
Loading

@oviecodes let me take this one, If you have any progress on this then feel free to open a PR or you can review my PR as you know best how authentication works.

@KhudaDad414 KhudaDad414 mentioned this issue Nov 1, 2023
Closed
7 tasks
@oviecodes
Copy link
Contributor

okay @Souvikns

@Souvikns
Copy link
Member

Souvikns commented Nov 6, 2023

After playing with the codebase I found that the errors are originating from

glee/src/lib/wsHttpAuth.ts

Line 31 in 25ab916

checkClientAuthConfig() {

This function basically tries to check if auth config provided from the auth function match the spec, but now with V3 the way of accessing the config has changed and thus it fails to read the spec for security schemes and thus get undefined errors.

There is also a problem with the logic we are using for providing and parsing security schemes, since this changed a lot from V2 to V3 of the spec.

Security for spec V2

security:
    - token: []
    - userPass: []
    - apiKey: []
    - UserOrPassKey: []
    - oauth: 
      - write:pets
      - read:pets

Security for spec V3

servers:
  OpenAI:
    host: api.openai.com
    protocol: https
    security:
      - $ref: '#/components/securitySchemes/openAI'
components:
  securitySchemes:
    openAI:
      type: http
      scheme: bearer
      name: token

Currently, we are providing the security parameters according to the type, something like this -

export async function clientAuth({ serverName }) {
    console.log("serverName", serverName)
  
    return {
      token: process.env.TOKEN,
      oauth: process.env.OAUTH2,
      apiKey: process.env.APIKEY,
      userPass: {
        user: process.env.USERNAME,
        password: process.env.PASSWORD
      }
    }
  }

This is not possible with the spec v3 and also there are better ways of passing in the parameters now.

I think one way to solve this issue, is by modifying both the clientAuth function and the way we parse securitySchemes.

Parsing

Now we should parse the securityScheme according to the id provided by the parser, and check for type and name to determine what parameter to fetch and where to pass in the provider.

Auth Function

Instead of passing the authentication parameters according to the type of the securityScheme we should pass it according to the id and use the name property to pass in the actual parameter, so it would look something like this

async function clientAuth({serverName}) {
  return {
    openAI: {
      token: process.env.TOKEN
    }
  }
}

@KhudaDad414 and @oviecodes let me know your thoughts on this.

@KhudaDad414
Copy link
Member Author

@Souvikns, your purposed solution makes sense to me. 👍
I guess it makes more sense to discuss it over a PR.

@oviecodes
Copy link
Contributor

Yeah, @Souvikns , but how do we handle people that will use spec v2? or are we suppose to support just v3 and later going forward

@Souvikns
Copy link
Member

Souvikns commented Nov 7, 2023

We are trying to have Glee officially support spec 3.0 and onwards.

@Souvikns Souvikns mentioned this issue Nov 20, 2023
Merged
@Souvikns
Copy link
Member

/progress 60

Opened PR, depends on #551 as cannot update the HTTP examples without request/reply support.

@asyncapi-bot
Copy link
Contributor

🎉 This issue has been resolved in version 0.32.14 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Souvikns Souvikns

Labels
bug Something isn't working released
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: client security scheme now works with spec v3 Souvikns/glee
4 participants
@KhudaDad414 @Souvikns @oviecodes @asyncapi-bot