Skip to content

feat: validate token in sticker-catalogue and sticker-award#167

Merged
scottgerring merged 6 commits into
mainfrom
feat/auth-everything
Jan 23, 2026
Merged

feat: validate token in sticker-catalogue and sticker-award#167
scottgerring merged 6 commits into
mainfrom
feat/auth-everything

Conversation

@scottgerring

@scottgerring scottgerring commented Jan 22, 2026

Copy link
Copy Markdown
Member

Add token validation to sticker-catalogue and sticker-award. Does not validate permissions - e.g. we don't check that only a user can manipulate their own resources. For now. I want to get the broad strokes in and stabilised first.

@scottgerring scottgerring force-pushed the feat/auth-everything branch 2 times, most recently from 48888c1 to 1597889 Compare January 22, 2026 12:24
@scottgerring scottgerring force-pushed the feat/auth-everything branch 2 times, most recently from 0f74093 to 74f42be Compare January 23, 2026 09:03
@@ -0,0 +1,77 @@
import { test, expect } from '@playwright/test';

test.describe('API Authentication Requirements', () => {

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added tests to validate

// This makes tokens transparent (signed JWTs) instead of encrypted JWEs.
// Required for services like sticker-award and sticker-catalogue that validate
// tokens using the JWKS endpoint.
options.DisableAccessTokenEncryption();

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jeastham1993 we talked about doing this anyway right?

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@scottgerring no, I think we need it still? Otherwise downstream services can't decode the JWT to do RBAC. Longer term I think we look to remove (backlog issue) but for the purposes of stability I think we leave it disabled for now. We use https in production which provides a layer of encryption right?

@scottgerring scottgerring force-pushed the feat/auth-everything branch 2 times, most recently from 5e9f62b to 9a9ac87 Compare January 23, 2026 12:35
Comment thread docker-compose.yml
# OAUTH_ISSUER: The issuer claim expected in JWT tokens (matches what user-management sets)
# Note: OpenIddict adds trailing slash to issuer, so we must include it here
# OAUTH_JWKS_URL: Internal Docker network URL to fetch JWKS for token validation
OAUTH_ISSUER: ${DEPLOYMENT_HOST_URL}/

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think we look into OpenIddict config to try and fix it? Or just live with it?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i don't think it's really broken, i think we just need to be actively consistent. This seems to be the easier way around - i stuffed about trying to get dotnet to not append /, but ultimately I don't care which way it goes, as long as they are all the same!

Comment thread sticker-catalogue/mise.toml
// This makes tokens transparent (signed JWTs) instead of encrypted JWEs.
// Required for services like sticker-award and sticker-catalogue that validate
// tokens using the JWKS endpoint.
options.DisableAccessTokenEncryption();

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@scottgerring no, I think we need it still? Otherwise downstream services can't decode the JWT to do RBAC. Longer term I think we look to remove (backlog issue) but for the purposes of stability I think we leave it disabled for now. We use https in production which provides a layer of encryption right?

Comment thread web-backend/mise.toml

[tasks."aws:deploy:local"]
description = "Deploy to AWS (build container locally)"
depends = ["//:env:setup", "//shared:aws:deploy:local", "//user-management:aws:deploy:local"]

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, why is user-mgmt removed?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because it makes the dev experience miserable basically:

if you say mise aws:deploy:local from the top level project, it deploys each service, and each service triggers a redeploy of user-management. because in this case it is packaging and pushing a local container, it triggers a task rollout N times on user-service, which is rubbish.

I think it is better to make the deploy quick and rational and have any users who are being clever enough to go into a sub-service and explicitly deploy it know they need to have deployed user-service

@jeastham1993 jeastham1993 self-requested a review January 23, 2026 13:55
@scottgerring scottgerring marked this pull request as ready for review January 23, 2026 13:56
@scottgerring scottgerring merged commit b3a7fb0 into main Jan 23, 2026
38 checks passed
@scottgerring scottgerring deleted the feat/auth-everything branch January 23, 2026 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants