Closed smadbe closed 2 months ago
There's a problem with the case with only the score_token
: we need to know the local item_id
to know which keys to use.
I see two options:
item_id
if there's only the score_token
item_id
from the token, and verify the signature once we have it. I'm just not sure that we do that easily with the token system, so it might require some work.Why wouldn't the LocalItemId
work? https://github.com/France-ioi/AlgoreaBackend/blob/master/app/payloads/score_token.go#L15
Actually I was talking about the LocalItemId
already. After more thoughts, I think it's best to retrieve it from the token, and verify the signature after (option 2). It's weird given how the token system has been implemented (the payload is retrieved only after the signature was checked) but I think it makes sense.
Motivations
As shown in the token interaction with tasks, task interactions starts with getting a task token, and then may ask for an answer token or a hint request token, and then the task sends its score to the save grade service, either via a score token (signed by the task grader) or an answer token+score if the task has no server (so basically the score is given by the user himself).
As the task grader may send the score much later, he cannot use the API access token to call the service. Also it does necessarily have the task token.
Subtasks
For the POST /items/save-grade service: