mkobetic
commented
1 year ago Looks like all publish requests are already authenticated as soon as --api-authn-enable is set.
https://github.com/xmtp/xmtp-node-go/blob/main/pkg/api/interceptor.go#L66
Closed mkobetic closed 1 year ago
mkobetic
commented
1 year ago Looks like all publish requests are already authenticated as soon as --api-authn-enable is set.
https://github.com/xmtp/xmtp-node-go/blob/main/pkg/api/interceptor.go#L66
mkobetic
commented
1 year ago Looks like we don't enable api.authn just yet in neither dev or production, so this seems to boil down to just some infra updates. Do we feel comfortable pulling the trigger on this?
neekolas
commented
1 year ago What about E2E tests?
mkobetic
commented
1 year ago What about E2E tests?
Looking at the TF files I don't think we're using it there either.
mkobetic
commented
1 year ago @snormore would you recommend doing it on e2e tests first?
mkobetic
commented
1 year ago Hm although I just realized that the existing interceptor just validates the token, but we also want to extend the authorization code to check for the two topics and deny if the token address doesn't match the topic address.
snormore
commented
1 year ago @mkobetic if we want to test restricted topics via e2e we'd have to either (1) emit test messages on more legit contact- or privatestore- topics (which would make it harder to clean them up because they can't be distinguished as test topics), or (2) add a testprivate- topic check along with the contact- or privatestore- checks and emit to that as an e2e test for it.
157 and #158 propose protection measures for these topics at the network layer, but a lot easier and likely sufficient in the short term is to simply apply the auth headers at the client API level. So let's do this first and possibly the other things later.