feat: validate read request for private data

ceramicnetwork · Aug 12, 2024 · b70c92f · b70c92f
1 parent 68ab303
commit b70c92f
Show file tree

Hide file tree

Showing 19 changed files with 970 additions and 122 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -44,6 +44,7 @@ axum = "0.6"
 backoff = "0.4"
 base64 = "0.21"
 bincode = "1.3.3"
+biscuit-auth = "4.1.1"
 bs58 = "0.4"
 bytecheck = "0.6.7"
 bytes = "1.1"
@@ -72,6 +73,8 @@ dag-jose = "0.2"
 deadqueue = "0.2.3"
 derivative = "2.2"
 derive_more = "0.99.17"
+did-pkh = "0.2.1"
+did-method-key = "0.2.2"
 dirs-next = "2"
 expect-test = "1.4.1"
 fastmurmur3 = "0.1.2"
@@ -154,6 +157,7 @@ smallvec = "1.10"
 sqlx = { version = "0.7", features = ["sqlite", "runtime-tokio", "chrono"] }
 ssh-key = { version = "0.5.1", default-features = false }
 ssi = { version = "0.7", features = ["ed25519"] }
+ssi-dids = "0.1.1"
 swagger = { version = "6.1", features = [
     "serdejson",
     "server",

diff --git a/api-server/api/openapi.yaml b/api-server/api/openapi.yaml
@@ -119,6 +119,22 @@ paths:
   /events/{event_id}:
     get:
       parameters:
+      - description: Bearer token
+        explode: false
+        in: header
+        name: Authorization
+        required: false
+        schema:
+          type: string
+        style: simple
+      - description: "URI to filter events against, such as ceramic://* or ceramic://*?model=base64url"
+        explode: true
+        in: query
+        name: resource
+        required: false
+        schema:
+          type: string
+        style: form
       - description: "CID of the root block of the event, used to identify of the\
           \ event"
         explode: false
@@ -141,6 +157,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/BadRequestResponse'
           description: bad request
+        "401":
+          description: Unauthorized
         "404":
           content:
             text/plain:
@@ -430,6 +448,22 @@ paths:
   /feed/events:
     get:
       parameters:
+      - description: Bearer token
+        explode: false
+        in: header
+        name: Authorization
+        required: false
+        schema:
+          type: string
+        style: simple
+      - description: "URI to filter events against, such as ceramic://* or ceramic://*?model=base64url"
+        explode: true
+        in: query
+        name: resource
+        required: false
+        schema:
+          type: string
+        style: form
       - description: "token that designates the point to resume from, that is find\
           \ keys added after this point"
         explode: true
@@ -475,6 +509,8 @@ paths:
               schema:
                 $ref: '#/components/schemas/BadRequestResponse'
           description: bad request
+        "401":
+          description: Unauthorized
         "500":
           content:
             application/json:

diff --git a/api-server/docs/default_api.md b/api-server/docs/default_api.md
@@ -120,14 +120,24 @@ No authorization required
 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
 
 # ****
-> models::Event (event_id)
+> models::Event (event_id, optional)
 Get event data
 
 ### Required Parameters
 
 Name | Type | Description  | Notes
 ------------- | ------------- | ------------- | -------------
   **event_id** | **String**| CID of the root block of the event, used to identify of the event | 
+ **optional** | **map[string]interface{}** | optional parameters | nil if no parameters
+
+### Optional Parameters
+Optional parameters are passed through a map[string]interface{}.
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **event_id** | **String**| CID of the root block of the event, used to identify of the event | 
+ **authorization** | **String**| Bearer token | 
+ **resource** | **String**| URI to filter events against, such as ceramic://_* or ceramic://_*?model=base64url | 
 
 ### Return type
 
@@ -360,6 +370,8 @@ Optional parameters are passed through a map[string]interface{}.
 
 Name | Type | Description  | Notes
 ------------- | ------------- | ------------- | -------------
+ **authorization** | **String**| Bearer token | 
+ **resource** | **String**| URI to filter events against, such as ceramic://_* or ceramic://_*?model=base64url | 
  **resume_at** | **String**| token that designates the point to resume from, that is find keys added after this point | 
  **limit** | **i32**| The maximum number of events to return, default is 100. The max with data is 10000. | 
  **include_data** | **String**| Whether to include the event data (carfile) in the response. In the future, only the payload or other options may be supported:   * `none` - Empty, only the event ID is returned   * `full` - The entire event carfile (including the envelope and payload)  | 

diff --git a/api-server/examples/client/main.rs b/api-server/examples/client/main.rs
@@ -151,7 +151,11 @@ fn main() {
             );
         }
         Some("EventsEventIdGet") => {
-            let result = rt.block_on(client.events_event_id_get("event_id_example".to_string()));
+            let result = rt.block_on(client.events_event_id_get(
+                "event_id_example".to_string(),
+                Some("authorization_example".to_string()),
+                Some("resource_example".to_string()),
+            ));
             info!(
                 "{:?} (X-Span-ID: {:?})",
                 result,
@@ -230,6 +234,8 @@ fn main() {
         }
         Some("FeedEventsGet") => {
             let result = rt.block_on(client.feed_events_get(
+                Some("authorization_example".to_string()),
+                Some("resource_example".to_string()),
                 Some("resume_at_example".to_string()),
                 Some(56),
                 Some("include_data_example".to_string()),

diff --git a/api-server/examples/server/server.rs b/api-server/examples/server/server.rs
@@ -162,11 +162,15 @@ where
     async fn events_event_id_get(
         &self,
         event_id: String,
+        authorization: Option<String>,
+        resource: Option<String>,
         context: &C,
     ) -> Result<EventsEventIdGetResponse, ApiError> {
         info!(
-            "events_event_id_get(\"{}\") - X-Span-ID: {:?}",
+            "events_event_id_get(\"{}\", {:?}, {:?}) - X-Span-ID: {:?}",
             event_id,
+            authorization,
+            resource,
             context.get().0.clone()
         );
         Err(ApiError("Generic failure".into()))
@@ -271,13 +275,17 @@ where
     /// Get all new event keys since resume token
     async fn feed_events_get(
         &self,
+        authorization: Option<String>,
+        resource: Option<String>,
         resume_at: Option<String>,
         limit: Option<i32>,
         include_data: Option<String>,
         context: &C,
     ) -> Result<FeedEventsGetResponse, ApiError> {
         info!(
-            "feed_events_get({:?}, {:?}, {:?}) - X-Span-ID: {:?}",
+            "feed_events_get({:?}, {:?}, {:?}, {:?}, {:?}) - X-Span-ID: {:?}",
+            authorization,
+            resource,
             resume_at,
             limit,
             include_data,