The new authorization flow is to create a token that gets uploaded to GCS and appended to every request. The token is only generated if the user is authenticated with gcloud and has access to the project the gemserver is in. The server checks if the token file exists and its value matches the token in the request for the request to succeed. Upon request completion, the token file is deleted. The token files are unique so concurrent requests are not an issue.
If the user is authenticated with gcloud, a token is generated by the googleauth gem and set as a header on every request. The server checks the header and validates it with the tokeninfo API for requests.
The server issues a redundant request to update the parent project of the gemserver with its current settings; this implicitly checks that the token has edit access and privileged operations that require edit access should succeed. Only create_key, delete_key, and stats are privileged operations and make this extra request.
Fixes #27.
The new authorization flow is to create a token that gets uploaded to GCS and appended to every request. The token is only generated if the user is authenticated with gcloud and has access to the project the gemserver is in. The server checks if the token file exists and its value matches the token in the request for the request to succeed. Upon request completion, the token file is deleted. The token files are unique so concurrent requests are not an issue.If the user is authenticated with gcloud, a token is generated by the
googleauthgem and set as a header on every request.The server checks the header and validates it with the tokeninfo API for requests.The server issues a redundant request to update the parent project of the gemserver with its current settings; this implicitly checks that the token has edit access and privileged operations that require edit access should succeed. Onlycreate_key,delete_key, andstatsare privileged operations and make this extra request.