Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A new signal to allow api login requests through an external service #2057

Open
2 of 11 tasks
Dimfred opened this issue Nov 20, 2019 · 5 comments
Open
2 of 11 tasks

A new signal to allow api login requests through an external service #2057

Dimfred opened this issue Nov 20, 2019 · 5 comments
Milestone
Future Feature Re...

Comments

@Dimfred
Copy link

Dimfred commented Nov 20, 2019

User Story
As a bitshares node operator I'd like to give the users the best experience.

In terms of api_logins the user is required to verify himself. Therefore the bitshares blockchain offers the api_access_info. This file is loaded on startup of the node. To add a new user and make the change available, the node has to be restarted. That is pretty inconvenient. It would be great if the change could take place dynamically.

More specifically some sort of signal, which is emitted when a user tries to log in. The signal destination can then be a plugin for example, we call that external_service, which then verifies the user and logs him in.

The external_service itself is not part of the issue.

Impacts
Describe which portion(s) of BitShares Core may be impacted by your request. Please tick at least one box.

  • API (the application programming interface)
  • Build (the build process or something prior to compiled code)
  • CLI (the command line wallet)
  • Deployment (the deployment process after building such as Docker, Travis, etc.)
  • DEX (the Decentralized EXchange, market engine, etc.)
  • P2P (the peer-to-peer network for transaction/block propagation)
  • Performance (system or user efficiency, etc.)
  • Protocol (the blockchain logic, consensus, validation, etc.)
  • Security (the security of system or user data, etc.)
  • UX (the User Experience)
  • Other (please add below)

P.S.

My thoughts on this and a prototype implementation, which just serves testing purposes for myself can be found here: #2051

In my example I used the external_service only for the acquisition of the api_access_info and tried to reuse as much code as possible, hence I reused the login_api::login code, to avoid duplicate code. Maybe it's a good idea to make the verification also through the external_service, which would allow for custom verification schemes.
@abitmore abitmore added this to the 4.1.0 - Feature Release milestone Nov 20, 2019
@pmconrad
Copy link
Contributor

This file is loaded on startup of the node. To add a new user and make the change available, the node has to be restarted.

I think this can be improved quite easily. Check file modification time and reload upon change.

More specifically some sort of signal, which is emitted when a user tries to log in. The signal destination can then be a plugin for example, we call that external_service, which then verifies the user and logs him in.
The external_service itself is not part of the issue.

IMO we should not add arbitrary signals in the vague hope that some plugin might want to use them in the future.

Also, I think a better approach could be to install a proxy before the API port. Existing proxy implementations typically come with a variety of supported authentication schemes. A new plugin would have to re-implement this all by itself.

@Dimfred
Copy link
Author

Dimfred commented Nov 21, 2019

@xeroc tag

@xeroc
Copy link
Member

xeroc commented Dec 2, 2019

IMO we should not add arbitrary signals in the vague hope that some plugin might want to use them in the future.

We actually have a plugin that gets credentials from SQLite (later also MySQL) databases.

Also, I think a better approach could be to install a proxy before the API port. Existing proxy implementations typically come with a variety of supported authentication schemes. A new plugin would have to re-implement this all by itself.

Bitshares-core has a login API already, why not use that? The advantage (obv) is that it doesn't break any client side implementations

@abitmore
Copy link
Member

abitmore commented Dec 2, 2019

Also, I think a better approach could be to install a proxy before the API port. Existing proxy implementations typically come with a variety of supported authentication schemes. A new plugin would have to re-implement this all by itself.

Bitshares-core has a login API already, why not use that? The advantage (obv) is that it doesn't break any client side implementations

Because bitshares-core is harder or more expensive to extend and/or maintain. The same applies to API servers, it's clear that practically it's better to run API nodes behind a reverse proxies e.g. HAProxy or Nginx which would handle load-balancing and SSL-offloading better.

@xeroc
Copy link
Member

xeroc commented Dec 9, 2019

Found something to work with haproxy.

Still, i think it would be a nicer solution to have it as part of plugin - after all, that's what plugins are good for, IMHO.

https://github.com/TimWolla/haproxy-auth-request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future Feature Release
Development

No branches or pull requests
4 participants
@xeroc @pmconrad @abitmore @Dimfred