Conversation
knowack1
left a comment
knowack1
left a comment
There was a problem hiding this comment.
The PR title says this is Authentication but this is rather Authorization
csds/uec_csds/api/sessions.py
Outdated
|
|
||
| router = APIRouter() | ||
|
|
||
| @router.get("/sessions", dependencies=[Depends(require_scopes({"sessions:read"}))]) |
There was a problem hiding this comment.
Why second session endpoint? How it works with the other conflicting one ?
There was a problem hiding this comment.
Good catch — this was an intermediate MVP artifact.
There is no intention to expose two /sessions endpoints. The duplicate route was introduced while testing scope-based authorization and was not meant to coexist long-term.
The implementation has now been consolidated into a single /sessions endpoint, which:
enforces sessions:read authorization
returns faulted sessions via the defined response model
removes any routing conflict or ambiguity
Authentication is handled earlier in the pipeline; this endpoint only performs authorization and data access.
Thanks for flagging this — resolved in the latest commit.
csds/main.py
Outdated
| def configure_logging(): | ||
| logging.basicConfig( | ||
| format="%(name)s - %(levelname)s - %(message)s", level=logging.INFO | ||
| format="%(name)s - %(levelname)s - %(message)s", |
There was a problem hiding this comment.
Please do not modify unrelated code nor introduce the unrelevant changes to the task. If you you like to introduce not related changes please do this in dedicated PR or at least in dedicated commit.
There was a problem hiding this comment.
You’re right — the logging-related changes are not directly related to the scope of this PR.
I have reverted those changes and limited this PR strictly to the authentication/authorization-related logic and required wiring.
Any logging or other cross-cutting improvements will be proposed separately in a dedicated PR (or at least a dedicated commit), to keep the scope clean and reviewable.
| csds-ui/.DS_Store | ||
| csds-ui/.env | ||
| csds-ui/node_modules/ | ||
| # ========================= |
There was a problem hiding this comment.
You're right — this change is unrelated. I will revert the .gitignore
modification to keep the PR focused.
| @@ -0,0 +1,21 @@ | |||
| [build-system] | |||
There was a problem hiding this comment.
Changes in this file are not related to Authorization.
|
|
||
|
|
||
| def hash_api_key(raw_key: str) -> str: | ||
| return hashlib.sha256(raw_key.encode("utf-8")).hexdigest() |
There was a problem hiding this comment.
How we assure that given scopes comes from trusted source?
There was a problem hiding this comment.
Scopes are not taken from the client. They are assigned server-side based
on trusted configuration for a given API key. This is a deliberate MVP
trade-off.
| - Requires discipline to avoid redefining schemas in routes | ||
|
|
||
| ## Notes | ||
| This ADR was introduced while implementing automated tests for |
There was a problem hiding this comment.
This is not true. Please remove this ADR files. I haven't seen practice to push such files into the repo. No one will ever read this files, hence I think there is no reason to add them. Better place for such description would be the GH test/issue itself rather the code/repo.
| except Exception as e: | ||
| logging.error(f"Unexpected error: {e}", exc_info=True) | ||
| exit(1) | ||
| exit(1) No newline at end of file |
There was a problem hiding this comment.
Please restore new line at the end of file.
| from uec_csds.db.database import Database | ||
|
|
||
| db = Database() | ||
| app = create_app(db) |
There was a problem hiding this comment.
What is the purpose of this change ? db and app are already created in csds.py.
|
@snabo1988 I think more important would be to focus on #23. Currently verifying changes is very cumbersome. |
2 participants
Summary
Introduces MVP-level API authentication for CSDS.
This PR adds a simple token-based authentication layer to secure API endpoints
required for MVP scope.
Scope
Out of scope
Related
Notes
Authentication was implemented before automated tests as a prerequisite
for validating protected API endpoints.