Merge pull request #124 from supabase/chore/tidy_operator_token

Chore/tidy operator token

Author: kangmingtay

api/api.go

@@ -170,23 +170,23 @@ func NewAPIWithVersion(ctx context.Context, globalConfig *conf.GlobalConfigurati
 		})
 	})
 
-	if globalConfig.MultiInstanceMode {
-		// Operator microservice API
-		r.WithBypass(logger).With(api.verifyOperatorRequest).Get("/", api.GetAppManifest)
-		r.Route("/instances", func(r *router) {
-			r.UseBypass(logger)
-			r.Use(api.verifyOperatorRequest)
-
-			r.Post("/", api.CreateInstance)
-			r.Route("/{instance_id}", func(r *router) {
-				r.Use(api.loadInstance)
-
-				r.Get("/", api.GetInstance)
-				r.Put("/", api.UpdateInstance)
-				r.Delete("/", api.DeleteInstance)
-			})
-		})
-	}
+	// if globalConfig.MultiInstanceMode {
+	// 	// Operator microservice API
+	// 	r.WithBypass(logger).With(api.verifyOperatorRequest).Get("/", api.GetAppManifest)
+	// 	r.Route("/instances", func(r *router) {
+	// 		r.UseBypass(logger)
+	// 		r.Use(api.verifyOperatorRequest)
+
+	// 		r.Post("/", api.CreateInstance)
+	// 		r.Route("/{instance_id}", func(r *router) {
+	// 			r.Use(api.loadInstance)
+
+	// 			r.Get("/", api.GetInstance)
+	// 			r.Put("/", api.UpdateInstance)
+	// 			r.Delete("/", api.DeleteInstance)
+	// 		})
+	// 	})
+	// }
 
 	corsHandler := cors.New(cors.Options{
 		AllowedMethods:   []string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodDelete},

api/external.go

@@ -72,7 +72,7 @@ func (a *API) ExternalProviderRedirect(w http.ResponseWriter, r *http.Request) e
 		InviteToken: inviteToken,
 		Referrer:    redirectURL,
 	})
-	tokenString, err := token.SignedString([]byte(a.config.OperatorToken))
+	tokenString, err := token.SignedString([]byte(config.JWT.Secret))
 	if err != nil {
 		return internalServerError("Error creating state").WithInternalError(err)
 	}
@@ -310,10 +310,11 @@ func (a *API) processInvite(ctx context.Context, tx *storage.Connection, userDat
 }
 
 func (a *API) loadExternalState(ctx context.Context, state string) (context.Context, error) {
+	config := a.getConfig(ctx)
 	claims := ExternalProviderClaims{}
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
 	_, err := p.ParseWithClaims(state, &claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(a.config.OperatorToken), nil
+		return []byte(config.JWT.Secret), nil
 	})
 	if err != nil || claims.Provider == "" {
 		return nil, badRequestError("OAuth state is invalid: %v", err)

api/middleware.go

@@ -82,6 +82,7 @@ func (a *API) loadJWSSignatureHeader(w http.ResponseWriter, r *http.Request) (co
 
 func (a *API) loadInstanceConfig(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	ctx := r.Context()
+	config := a.getConfig(ctx)
 
 	signature := getSignature(ctx)
 	if signature == "" {
@@ -91,7 +92,7 @@ func (a *API) loadInstanceConfig(w http.ResponseWriter, r *http.Request) (contex
 	claims := NetlifyMicroserviceClaims{}
 	p := jwt.Parser{ValidMethods: []string{jwt.SigningMethodHS256.Name}}
 	_, err := p.ParseWithClaims(signature, &claims, func(token *jwt.Token) (interface{}, error) {
-		return []byte(a.config.OperatorToken), nil
+		return []byte(config.JWT.Secret), nil
 	})
 	if err != nil {
 		return nil, badRequestError("Operator microservice signature is invalid: %v", err)
@@ -115,7 +116,7 @@ func (a *API) loadInstanceConfig(w http.ResponseWriter, r *http.Request) (contex
 		return nil, internalServerError("Database error loading instance").WithInternalError(err)
 	}
 
-	config, err := instance.Config()
+	config, err = instance.Config()
 	if err != nil {
 		return nil, internalServerError("Error loading environment config").WithInternalError(err)
 	}
@@ -150,38 +151,19 @@ func (a *API) limitHandler(lmt *limiter.Limiter) middlewareHandler {
 	}
 }
 
-func (a *API) verifyOperatorRequest(w http.ResponseWriter, req *http.Request) (context.Context, error) {
-	c, _, err := a.extractOperatorRequest(w, req)
-	return c, err
-}
-
-func (a *API) extractOperatorRequest(w http.ResponseWriter, req *http.Request) (context.Context, string, error) {
-	token, err := a.extractBearerToken(w, req)
-	if err != nil {
-		return nil, token, err
-	}
-	if token == "" || token != a.config.OperatorToken {
-		return nil, token, unauthorizedError("Request does not include an Operator token")
-	}
-	return withAdminUser(req.Context(), &models.User{ID: uuid.Nil, Email: "operator@netlify.com"}), token, nil
-}
-
 func (a *API) requireAdminCredentials(w http.ResponseWriter, req *http.Request) (context.Context, error) {
-	c, t, err := a.extractOperatorRequest(w, req)
-	if err == nil {
-		return c, nil
-	}
-
-	if t == "" {
+	ctx := req.Context()
+	t, err := a.extractBearerToken(w, req)
+	if err != nil || t == "" {
 		return nil, err
 	}
 
-	c, err = a.parseJWTClaims(t, req, w)
+	ctx, err = a.parseJWTClaims(t, req, w)
 	if err != nil {
 		return nil, err
 	}
 
-	return a.requireAdmin(c, w, req)
+	return a.requireAdmin(ctx, w, req)
 }
 
 func (a *API) requireEmailProvider(w http.ResponseWriter, req *http.Request) (context.Context, error) {

conf/configuration.go

@@ -63,7 +63,7 @@ type GlobalConfiguration struct {
 	DB                DBConfiguration
 	External          ProviderConfiguration
 	Logging           LoggingConfig `envconfig:"LOG"`
-	OperatorToken     string        `split_words:"true" required:"true"`
+	OperatorToken     string        `split_words:"true" required:"false"`
 	MultiInstanceMode bool
 	Tracing           TracingConfig
 	SMTP              SMTPConfiguration