Security - implement basic authorization and authentication

dmarro89 / dare-db

Dare-DB is a lightweight in-memory database written in Go, featuring Redis-inspired hashtables and HTTP/HTTPS endpoints for seamless data storage and retrieval, with Docker support for easy deployment

MIT License

53 stars 6 forks source link

Security - implement basic authorization and authentication #35

Closed dmarro89 closed 3 months ago

dmarro89 commented 3 months ago

Implementing basic authorization & authentication for all HTTP/s requests.

Added:

Authorization:Added new Enforcer for HTTP calls using Casbin
Authentication: Adding JWT authentication

Changes and edits:

Updated dare-server and server in order to use the enforcer for users authorization and JWT authentication

Dependencies:

casbin

dmarro89 commented 3 months ago

curl --insecure -X POST -H "Authorization: Bearer " -d '{"myKey":"myValue"}' https://localhost:2605/set/

Hi @vdmitriyev, thanks for your comment.

I've tried it before and it works.

The Authorization header should contain just the token (without Bearer).

curl --insecure -X POST -H "Authorization: " -d '{"myKey":"myValue"}' https://localhost:2605/set/

Try it and let me know.

vdmitriyev commented 3 months ago

curl --insecure -X POST -H "Authorization: Bearer " -d '{"myKey":"myValue"}' https://localhost:2605/set/ Try it and let me know.

Thanks for the response. Was able to pass auth. However, still not able to insert key/values into database. See below.

Request:

curl --insecure -X POST -H "Authorization: <TOKEN>" -H "Content-Type: application/json" -d {"myKey":"myValue"} https://localhost:2605/set

Response:

Invalid JSON format, the body must be in the form of {"key": "value"}

Server logs:

...
[INFO] - User 'admin' is allowed to 'POST' resource 'set'
invalid character '\'' looking for beginning of value
...

Added simple prints to the dare-server.go

var data map[string]interface{}
err := json.NewDecoder(r.Body).Decode(&data)
if err != nil {
    fmt.Println(err) // this line was added
    http.Error(w, "Invalid JSON format, the body must be in the form of {\"key\": \"value\"}", http.StatusBadRequest)
    return
}

dmarro89 commented 3 months ago

curl --insecure -X POST -H "Authorization: Bearer " -d '{"myKey":"myValue"}' https://localhost:2605/set/ Try it and let me know.

Thanks for the response. Was able to pass auth. However, still not able to insert key/values into database. See below.

Request:
curl --insecure -X POST -H "Authorization: <TOKEN>" -H "Content-Type: application/json" -d {"myKey":"myValue"} https://localhost:2605/set
Response:
Invalid JSON format, the body must be in the form of {"key": "value"}
Server logs:
...
[INFO] - User 'admin' is allowed to 'POST' resource 'set'
invalid character '\'' looking for beginning of value
...
Added simple prints to the dare-server.go
var data map[string]interface{}
err := json.NewDecoder(r.Body).Decode(&data)
if err != nil {
    fmt.Println(err) // this line was added
    http.Error(w, "Invalid JSON format, the body must be in the form of {\"key\": \"value\"}", http.StatusBadRequest)
    return
}

Hi @vdmitriyev, you are just missing the quotes before the body -> -d '{"myKey":"myValue"}'

vdmitriyev commented 3 months ago

start: #

Hi @vdmitriyev, you are just missing the quotes before the body -> -d '{"myKey":"myValue"}'

I have tried both variants: with and without single quote. I just posted a wrong variant (sorry). I have tried out the following curl-request and still got the same error:

curl --insecure -X POST -H "Authorization: <TOKEN>" -H "Content-Type: application/json" -d '{"myKey":"myValue"}' https://localhost:2605/set

dmarro89 commented 3 months ago

start: #

Hi @vdmitriyev, you are just missing the quotes before the body -> -d '{"myKey":"myValue"}'

I have tried both variants: with and without single quote. I just posted a wrong variant (sorry). I have tried out the following curl-request and still got the same error:
curl --insecure -X POST -H "Authorization: <TOKEN>" -H "Content-Type: application/json" -d '{"myKey":"myValue"}' https://localhost:2605/set

Hi @vdmitriyev, sorry for the delay of my answer. I've tried your commands and it's working. Here's the screen.

curl --insecure -X POST -u admin:0GfRtVRrRh7y https://localhost:2605/login
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzI0NDk0MDI3fQ.fDe7FGRNYZXf1nl3m9GxwfD0SadNuw6ytWSO4gW1COU"}

curl --insecure -X POST -H "Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzI0NDk0MDI3fQ.fDe7FGRNYZXf1nl3m9GxwfD0SadNuw6ytWSO4gW1COU" -H "Content-Type: application/json" -d '{"myKey":"myValue"}' https://localhost:2605/set

curl --insecure -X GET -H "Authorization:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiZXhwIjoxNzI0NDk0MDI3fQ.fDe7FGRNYZXf1nl3m9GxwfD0SadNuw6ytWSO4gW1COU" -H "Content-Type: application/json" https://localhost:2605/get/myKey
{"myKey":"myValue"}

Try to delete your Docker images, rebuild and start.

vdmitriyev commented 3 months ago

start: https://github.com/dmarro89/dare-db/pull/35#issuecomment-2308299859

@dmarro89 thank you for help and your patience. The issues was not due to a docker image (it was rebuilded every time). The issue was caused by curl utility in combination with my terminal. The following worked for me at the end (note the escapes and double quotes combination):

curl --insecure -X POST -H "Authorization: <TOKEN>" -H "Content-Type: application/json" -d "{\"myKey3\":\"myValue3\"}" https://localhost:2605/set

vdmitriyev commented 3 months ago

@dmarro89 I think, that PR could be merged. Or?

dmarro89 commented 3 months ago

@dmarro89 I think, that PR could be merged. Or?

Ok thanks!

dmarro89 commented 3 months ago

@dmarro89 I think, that PR could be merged. Or?

@vdmitriyev could you please approve it? Thanks

vdmitriyev commented 3 months ago

@dmarro89 I think, that PR could be merged. Or?

@vdmitriyev could you please approve it? Thanks

Done