Open cthulhu-rider opened 6 months ago
The desired behavior is likely:
This is strongly related to https://github.com/nspcc-dev/neofs-api/issues/241, I'd like to have a token that can be created on the user side without reliance on the REST gateway (which is technically possible, but not trivial at the moment, so REST users like Panel never do this). This would mean that REST should be more transparent, but it can provide some additional API specifically to check tokens as they're known to the gateway.
There are some hidden things. The problem is deeper than it looks on the first sight. In fact the problem could be mirrored to node, if the gate would be updated first for the new version of SDK. In this case the gate approves the token, but node will say "invalid signature" error.
In the node we have the same place, where we have to unmarshal
token to struct from binary or json representation. It is required to be able to pass the token to commands via parameters.
We can try to make this thing more transparent for the gate in case the gate will not interfere inside token. But this require new command API like WithBearerTokenBinary(token []byte)
instead of WithBearerToken(t bearer.Token)
.
NeoFS bearer token was recently extended with new field (https://github.com/nspcc-dev/neofs-api/issues/266). Now it has one more field that could be signed and transferred. I tried to use the latest token version w/o REST gateway upgrade (being done in https://github.com/nspcc-dev/neofs-rest-gw/pull/176) and see how it goes
Current Behavior
REST denies bearer token:
while NeoFS accepts it.
Expected Behavior
REST accepts valid bearer token and op proceeds in the same way as when contacting directly to NeoFS
Possible Solution
this is a function that handles passed bearer token. As we can see, it:
currently, signature mismatch is expected cuz:
next can be done to solve the problem:
Describe alternatives you've considered
Steps to Reproduce
Context
btw storage nodes are not forward compatible too. We can do same steps with upgraded REST and "old" nodes. Then output is:
but it consistent with NeoFS (CLI) itself:
same problem may be encountered by any app which inherit NeoFS binary models
Regression
no: this worked (and still), but iff SDK revisions are synced
Your Environment
neofs-dev-env@155e022bd96cdde14b4fdf4a6d2c125147c9bcb8
with modified versions in.env
fileneofs-node
andneofs-cli
from https://github.com/nspcc-dev/neofs-node/pull/2787. If merged, latest can be usedneofs-rest-gw@v0.8.3