postman-open-technologies / gsoc-2023

Postman Open Technologies' repo for Open Source contributions during Google Summer of Code 2023
67 stars 14 forks source link

AsyncAPI: Authentication and Authorization support for websocket adapters. #17

Closed AceTheCreator closed 9 months ago

AceTheCreator commented 1 year ago

Small Intro to Glee

Glee is an innovative spec-first framework that empowers developers to build high-performing server-side applications with ease. By allowing users to focus on the business logic of their applications, Glee takes care of the critical aspects of performance, scalability, and resilience, making it an ideal solution for complex production environments. As of now glee supports multiple protocols like websocket, mqtt, kafka and soon HTTP.

Problem Statement

In particular, Glee allows users to create WebSocket servers, which necessitates the implementation of secure and reliable authentication and authorization mechanisms. This ensures that only authorized parties can access and use the WebSocket servers, thereby enhancing the overall security and privacy of the communication channels.

Proposed Solution

By providing users with the tools to develop customized authentication and authorization procedures, Glee would enables them to tailor their servers to their specific needs, ensuring that they meet the highest standards of security and reliability.

We need to support the commonly used methods of authentication that are supported by websocket servers. In general we need to have support for

  1. Basic Authentication: This is a simple and widely supported authentication mechanism that uses a username and password to authenticate clients. The client sends the username and password in the HTTP header during the WebSocket handshake, and the server verifies it before establishing the WebSocket connection.
  2. Token-Based Authentication: This is a popular authentication mechanism that uses tokens or access keys to authenticate clients. The client sends the token in the HTTP header during the WebSocket handshake, and the server verifies it before establishing the WebSocket connection.
  3. OAuth 2.0: This is a widely used authentication and authorization framework that enables clients to obtain access tokens to access protected resources. The client sends the access token in the HTTP header during the WebSocket handshake, and the server verifies it before establishing the WebSocket connection.
  4. Mutual TLS Authentication: This is a strong authentication mechanism that uses TLS certificates to authenticate clients. The client sends a client certificate during the WebSocket handshake, and the server verifies it before establishing the WebSocket connection.

Mentors: @Souvikns @KhudaDad414

Project Repo

https://github.com/asyncapi/glee

Expected Difficulty: Easy-Medium

Expected Time Commitment: 175 Hour

Technical skills requried

Typescript, nodejs, websocket, EDA basics

LetsGetStartedWithBub commented 1 year ago

Hi @AceTheCreator @jansche , I am Mitchell (SDE with 2 year experience). I hadn't participated in GSOC before, but this year I am looking forward to be an active participant. And I think this project will be compatible for me as I am going to pursue it with my full-time job. Hope to hear from your side about how I can proceed with this project. Thank you

bshreyasharma007 commented 1 year ago

Hi Mentors [ @AceTheCreator @jansche @Souvikns @KhudaDad414 ]

I am Shreya who is a technology enthusiast and first time participating in GSOC with the wish to be contributing towards "Authentication layer for glee, support for different authentication frameworks"

As per Contribution Guide I would like to introduce myself as a candidate to work on this project which is selected for GSOC 2023

Q1) What interests you most about this project ?

I researched about glee, glee.config.js thought about how I can contribute towards this project and went through the link provided in the issue.

I have experience working with Authentication, authorization system and believe in the idea of 'multiple authentication and authorization process' as world moves towards things which makes things easier, scalabe and more secure.

I believe I can contribute towards this project in meaningful way.

Q2) As mentors and project coordinators, how can we get the best out of you?

You can get the best out of me by providing me clear and concise guidance on the project goals, expectations, and timelines.

I believe in continuous improvement hence open to feedback [ be it technical or social or in other areas ], willing to learn new technologies, tools and approaches to improve my skills and contribute towards the project.

Q3) Is there anything that you’ll be studying or working on whilst working alongside us?

I am a working professional in the field of EDI(Electronic Data Interchange) as an Analyst, with a Computer Science background.

Q4) We'd love to hear a bit on your work preferences, e.g. how you keep yourself organized, what tools you use, etc?

I like planned things; in situation where a project is not planned out with no proper communication, I tend to get a bit anxious as in my mind the priority is to complete the task.

I can give daily 4-5hr or more (depending upon office work) towards this project.

I am open to work in US, UK, or India timezone depending upon the project requirement.

To keep myself organized I make use of notepads, reminders, and personal notes with timing.

Skill stack which I currently have which can be used to contribute towards the project: JavaScript, yaml, json, typescript, RTC, socket.io, middleware, REST API, Authentication process, etc

As I mentioned previously I believe in continuous improvement hence open to feedback [ be it technical or social or in other areas ], willing to learn new technologies, tools and approaches to improve my skills and contribute towards the project.

Q5) Once you’ve selected a project from the ideas section, please suggest a weekly schedule with clear milestones and deliverables around it. Alternatively, if you want to propose your own idea then please include an outline, goals, and a well-defined weekly schedule with clear milestones and deliverables.

I have created below weekly schedule, but open to negotiating changes to the schedule as needed, with the goal of ensuring the successful completion of the project

Week 1:

Research and analysis of existing authentication and authorization systems used in WebSocket servers. Understand how glee uses middleware to implement authentication and authorization. Milestone: Submit the plan for review by the mentors.

Week 2-3:

If possible try to implement mini version of middleware and try to configure it with Glee. Once above is successful then try to tweak parameters present in glee.config.js Write tests and documentation on the same Milestone: Submit the logic and results to mentor to validate if I am going in right direction

Week 4-5:

Submit a pull request with the changes in glee.config.js which can be used to achieve the result.

Week 6-7:

Integration testing of the authentication and authorization feature with glee. Identify and fix any bugs or issues. Milestone: Submit a pull request with the final changes and updates for review by the mentors.

Week 8:

Final review and testing of the code. Update documentation as needed. Milestone: Submit the final code and documentation for approval by the mentors.

============================================================== I have a query in contribution guide there is mentioning about 'MANDATORY QUALIFICATION TASK: Please engage on your selected project (link to each GitHub repo is in the issue description) by picking up an existing issue tagged "first issue". If no first issues are available, get in contact with the main mentor as listed in the repo's README.md and get individual advice.'

I request you to provide me with Mandatory qualification task so I can start contributing towards the project.

At present I am looking at asyncapi/glee/issues to get started with the contribution

Looking forward to hearing from your side

shubhsinha commented 1 year ago

Dear Mentors and Project Coordinators,

I am Shubhashish Sinha, a sophomore at BITS Pilani, Pilani Campus, and a first-time participant in GSOC. I am writing to express my interest in contributing to your project. What interests me most about this project is the opportunity to learn and develop my skills in building WebSocket servers with glee and implementing authentication middleware. As a developer, I am always looking for ways to expand my knowledge and contribute to meaningful projects.

To get the best out of me, I would appreciate clear communication and guidance on the project goals and milestones. I am open to constructive feedback and willing to make changes to ensure the success of the project. Additionally, I am willing to collaborate and communicate regularly with the team to ensure that we are on track with the project timeline.

Whilst working alongside you, I plan to study and research best practices in authentication middleware implementation, WebSocket servers, and glee configuration. I am committed to delivering high-quality work and will use the necessary tools and resources to keep myself organized and on track. I usually keep myself organized by using project management tools such as Trello and Asana, and version control tools such as Git and GitHub.

If selected for the project, I would propose the following weekly schedule with clear milestones and deliverables:

Week 1: Research and study existing authentication middleware implementation and glee configuration. Deliverable: A summary of best practices for authentication middleware implementation.

Week 2: Develop a prototype of the authentication middleware for glee server and client adapters. Deliverable: A working prototype of the authentication middleware for glee server and client adapters.

Week 3-4: Test and debug the authentication middleware implementation. Deliverable: A tested and debugged implementation of the authentication middleware for glee server and client adapters.

Week 5-6: Document the implementation process and create a user guide for the authentication middleware. Deliverable: A user guide for the authentication middleware implementation.

I look forward to hearing back from you.

Rudrak3 commented 1 year ago

Hi Mentors [ @AceTheCreator @jansche @Souvikns @KhudaDad414 ]

I am Rudresh pursuing Bachelor in Technology and I am excited to participate in GSOC 2023 for the first time. I am interested in contributing towards the "Authentication layer for glee, support for different authentication frameworks" project.

My interest in field of Software Engineering grew after creating my own projects using Python, Machine Learning, CSS, HTML, JavaScript and I believe I will be great asset towards this project.

I will be introducing myself by referring to format mentioned in Contribution Guide

Q1) What interests you most about this project ?

After reading the problem statement I researched on each keyword and found the project to be more interesting and wanted to contribute towards the project on changing parameters of glee.config.js to enable multiple authentication and authorization process.

What excites me the most about this project is the opportunity to contribute to a project that has the potential to positively impact the development community and creating a win-win situation for both parties.

Q2)As mentors and project coordinators, how can we get the best out of you?

As for getting the best out of me, I work well when given clear instructions and expectations. I would appreciate regular check-ins and feedback to ensure that I am on track and meeting project goals.

Q3) Is there anything that you’ll be studying or working on whilst working alongside us?

As I embark on this project, my foremost goal is to expand my knowledge of the intricacies of implementing enablement of multiple authentication and authorization with Glee. In addition, I aim to hone my coding skills, such as design patterns, testing methodologies, and best practices, so that my contributions are not only robust but also maintainable. I am eager to immerse myself in the project standards and leverage any available resources to create a top-notch solution that meets the project's requirements.

Q4) We'd love to hear a bit on your work preferences, e.g. how you keep yourself organized, what tools you use, etc?

In terms of work preferences, I keep myself organized by breaking tasks down into smaller, manageable pieces and using project management tools like Trello or Asana to keep track of my progress. I also make sure to communicate regularly with my team members to ensure that we are all on the same page.

Q5)Once you’ve selected a project from the ideas section, please suggest a weekly schedule with clear milestones and deliverables around it. Alternatively, if you want to propose your own idea then please include outline, goals, and a well-defined weekly schedule with clear milestones and deliverables.

Below is rough weekly schedule but it can be changed based on feedback and discussion

Week 1:

Conduct research and analysis on existing authentication and authorization systems used in WebSocket servers Understand how glee uses middleware to implement authentication and authorization Milestone: Submit the plan for review by the mentors

Week 2-3:

Tweak parameters present in glee.config.js so as to achieve the end result of enabling multiple authentication and authorization process. Write tests and documentation Milestone: Submit the logic and results to mentor to validate if I am going in the right direction

Week 4-5:

Submit a pull request with the changes in glee.config.js which can be used to achieve the desired result Continue testing and refining the code Milestone: Submit a pull request with the final changes and updates for review by the mentors

Week 6-7:

Conduct integration testing of the authentication and authorization feature with glee Identify and fix any bugs or issues Milestone: Submit a pull request with the final changes and updates for review by the mentors

Week 8-9: Perform a final review and testing of the code Update documentation as needed Milestone: Submit the final code and documentation for approval by the mentors

I look forward to working with the mentors and contributing to the success of this project!

Souvikns commented 1 year ago

Hello everyone, it's wonderful to see so many of you interested in the project!

The proposal period is set to open on March 20th, so there's no need to rush your proposal just yet. Instead, I would recommend taking this time to become more familiar with the project and the AsyncAPI community. Use this period to explore the codebase and get to know the mentors. If you have any questions or ideas, feel free to share them here: https://github.com/asyncapi/glee/issues/377. We're eager to hear from you and welcome your contributions.

ghost commented 1 year ago

My Tech Stack Includes : C, C++ , Python , Java, JavaScript , HTML , CSS , SQL I want to contribute please help , I am starting out in open source. I used postman when working with API to test json file , I would love to learn more . @AceTheCreator

ghost commented 1 year ago

Currently Learning NodeJS

Infamia2334 commented 1 year ago

Greetings mentors @AceTheCreator @jansche @Souvikns @KhudaDad414 I am writing to express my interest in contributing to the AsyncAPI plugin project for Postman as part of Google Summer of Code 2023. These are some points I want to bring to your attention about myself and my interest in this issue:

I look forward to discussing this opportunity further and learning more about how I can contribute to the Postman Open Technologies community.

Thank you for your consideration.

Best regards, Dipan

Souvikns commented 1 year ago

Kind reminder to everyone, don't forget to register on the GSoC website and submit your proposal officially. If you want mentors to review your proposals do share them with us at souvik.de@postman.com and khudadad.nomani@postman.com.

pragya-20 commented 1 year ago

Hi there! My name is Pragya Bhardwaj, and I am a Software Developer based in India. I specialize in working with Javascript, JSON, React, and React Native, and have experience developing software applications using these technologies.

While reviewing the project description, I understand that we need to implement 4 types of authentication but I am particularly excited to work on TLS authentication and OAuth 2.0 because these will be new for me to implement. I have implemented basic and token-based authentication using javascript. I am eager to work with the team and contribute to this feature. @Souvikns / @KhudaDad414, can you please tell me, from where I can pick the good first issues related to it Thanks!

Akshat171 commented 1 year ago

Hello everyone,

My name is Akshat jangid, and I am excited to introduce myself to this community. I am a MERN stack developer with 2.5 years of experience. My skills include ReactJS, NodeJS, nextjs , TypeScript, Express and databases like MongoDB.

I am very interested in contributing to GSOC 2023 and would love to be a part of this community. I am passionate about programming and enjoy working on projects that challenge me to learn new skills and technologies.

and here is my answers of the questions raised in this project. 1.) What interests you most about this project?

As a software developer, I find the implementation of secure and reliable authentication and authorization mechanisms to be one of the most interesting aspects of the Glee Project. and I have experience in the tech stack which we’ll be using in this project and also with the solution proposed in this. Therefore, I am excited to contribute in this project.

Looking forward to working together on an exciting project in the future.

2.) As mentors and project coordinators, how can we get the best out of you?

I believe that clear communication, specific objectives, feedback, and a good working relationship are key to getting the best out of me. I appreciate receiving feedback on my work to help me improve and refine my approach. Positive feedback motivates me to continue doing good work.

3.) Is there anything that you’ll be studying or working on whilst working alongside us?

Yes, I am 3rd-year student of Bachelor in Technology (Mechatronics Engineering)

4.) We'd love to hear a bit about your work preferences, e.g. how you keep yourself organized, what tools you use, etc?

Work preferences :

I will be going to work on this project for 4 to 5 hours per day or if there is a need I can extend this time zone.

I can work in different time zones like India, US, or UK.

for organizing myself I use a digital calendar to schedule appointments and deadlines, and I set reminders to ensure that I don't miss any important tasks. I also use a task management app to keep track of my to-do lists and prioritize my work.

and these digital things work for me as a tool in my daily life.

4.) Once you’ve selected a project from the ideas section, please suggest a weekly schedule with clear milestones and deliverables around it. Alternatively, if you want to propose your own idea then please include an outline, goals, and a well-defined weekly schedule with clear milestones and deliverables.

I would propose the following 10-week schedule with clear milestones and deliverables:

Week 1-2:

Week 3-4:

Week 5-6:

-Milestone--> creating pull request and proper documentation. Week 7-8:

Week 9-10:

finally , the goal of this project would be to provide Glee users with a secure and reliable authentication and authorization mechanism for their WebSocket servers, thereby enhancing the overall security and privacy of their communication channels.

visheshc14 commented 1 year ago

Hi @Souvikns @KhudaDad414 I am Vishesh, a 3rd year computer science student at VIT University, Vellore and I would love to work on this project. I have around an year of experience working with Golang, Rust NodeJS, MongoDB, Express, GraphQL and creating RESTful APIs. I am highly looking forward to be a potential contributor for this project and organization!

AsyncAPI is a specification that defines a common format for describing asynchronous APIs. It provides a standardized way to define the structure of messages exchanged between services in an asynchronous communication system.

When it comes to implementing authentication in AsyncAPI, it is important to consider the security needs of the system and the various authentication frameworks that can be used to meet those needs.

In the case of the glee system, the authentication layer can be implemented using various authentication frameworks such as OAuth2, OpenID Connect, JSON Web Tokens (JWT), Basic Authentication, and more. Each of these frameworks has its own strengths and weaknesses and can be used to meet specific security requirements.

To implement authentication in glee using AsyncAPI, you would typically start by defining the security requirements of the system in the AsyncAPI specification. This can be done by adding a security scheme object to the specification, which defines the type of authentication required and any additional parameters needed to authenticate the user.

Here's an example of how the security scheme object can be defined in AsyncAPI.

securitySchemes:
  bearerAuth:
    type: http
    scheme: bearer
    bearerFormat: JWT

In this example, we define a security scheme named "bearerAuth" that uses HTTP authentication with a bearer token format (JWT). This means that users must provide a valid JWT token in the Authorization header of their requests to access the protected resources in glee.

Once the security scheme object is defined, it can be used to secure the channels and operations in the AsyncAPI specification. This is done by adding the security property to the channels or operations that require authentication. For example:

channels:
  notifications:
    subscribe:
      summary: Subscribe to notifications
      operationId: subscribeToNotifications
      security:
        - bearerAuth: []

In this example, we secure the "notifications" channel and its "subscribe" operation by requiring the "bearerAuth" security scheme. This means that users must provide a valid JWT token to subscribe to notifications.

By using the security scheme object and the security property in the AsyncAPI specification, you can implement authentication in glee and support different authentication frameworks depending on the security requirements of your system.

aguywithbrain commented 1 year ago

AsyncAPI is a powerful tool for designing and documenting APIs that use asynchronous messaging protocols. One area where AsyncAPI has received a lot of attention recently is in its support for websocket adapters with authentication and authorization capabilities.

In order to add authentication and authorization support to a websocket adapter using AsyncAPI, there are a few different approaches that can be taken:

Using JSON Web Tokens (JWTs) - one common way to implement authentication and authorization is through the use of JSON Web Tokens (JWTs). With this approach, clients send their credentials (typically a username and password) to the server, which then returns a JWT that is used to authenticate subsequent requests.

OAuth 2.0 - another common approach to authentication and authorization is through the use of OAuth 2.0. In this scenario, clients authenticate themselves by providing an Access Token that they have obtained from an Authorization Server. The server will then validate the token and authorize the client based on the permissions granted to that token.

Custom Authentication/Authorization mechanisms - if neither of the above approaches work for your use case, you may need to implement a custom authentication or authorization mechanism. This approach allows you to define your own middleware that can perform whatever authentication and authorization checks are necessary.

Regardless of which approach you choose, it's important to keep security in mind when designing and implementing authentication and authorization for your websocket adapter. Make sure to properly validate user inputs, sanitize data, and use best practices for securing access tokens and other sensitive information. By following these guidelines, you can help ensure that your websocket adapter is secure and reliable.

aguywithbrain commented 1 year ago

example of jwt based authentication

const jwt = require('jsonwebtoken');

// ...

wss.on('connection', function connection(ws) { ws.on('message', function incoming(data) { // Verify the JWT sent by the client try { const payload = jwt.verify(data, 'your_secret_key'); // The token is valid - handle the request here handleRequest(payload); } catch (err) { // The token is invalid or has expired ws.send(JSON.stringify({ error: 'Invalid token' })); } }); });

kaushik-rishi commented 1 year ago

Hey @AceTheCreator Was this issue taken up as a part of GSOC'23 or is it like already claimed by some mentee ?

AceTheCreator commented 1 year ago

Hey @AceTheCreator Was this issue taken up as a part of GSOC'23 or is it like already claimed by some mentee ?

Yea, it's part of GSOC'23 :)

gabel commented 1 year ago

Are there any results to share out of this GSOC?

benjagm commented 9 months ago

Closed as completed as part of 2023 edition.