Closed mkobetic closed 1 year ago
Looks like all publish requests are already authenticated as soon as --api-authn-enable
is set.
https://github.com/xmtp/xmtp-node-go/blob/main/pkg/api/interceptor.go#L66
Looks like we don't enable api.authn just yet in neither dev or production, so this seems to boil down to just some infra updates. Do we feel comfortable pulling the trigger on this?
What about E2E tests?
What about E2E tests?
Looking at the TF files I don't think we're using it there either.
@snormore would you recommend doing it on e2e tests first?
Hm although I just realized that the existing interceptor just validates the token, but we also want to extend the authorization code to check for the two topics and deny if the token address doesn't match the topic address.
@mkobetic if we want to test restricted topics via e2e we'd have to either (1) emit test messages on more legit contact-
or privatestore-
topics (which would make it harder to clean them up because they can't be distinguished as test topics), or (2) add a testprivate-
topic check along with the contact-
or privatestore-
checks and emit to that as an e2e test for it.
157 and #158 propose protection measures for these topics at the network layer, but a lot easier and likely sufficient in the short term is to simply apply the auth headers at the client API level. So let's do this first and possibly the other things later.