feat(sessions): implementing permission revoking #699
Conversation
geekbrother
force-pushed
the
feat/revoking_session
branch
from
aaf5cc8 to
066d1ce
Compare
src/handlers/sessions/revoke.rs
Outdated
| .hget(address.clone(), request_payload.pci.clone()) | ||
| .await? | ||
| .ok_or_else(|| RpcError::PermissionNotFound(request_payload.pci.clone()))?; | ||
| state.metrics.add_irn_latency(irn_call_start, "hget".into()); |
There was a problem hiding this comment.
Would be good to make this "hget" thing an enum (converting it to a string inside add_irn_latency())
There was a problem hiding this comment.
Good catch, we should get rid of magic string. Fixed in 4cf2436 by implementing OperationType enum.
| )?; | ||
|
|
||
| // Remove the session/permission item from the IRN | ||
| let irn_call_start = SystemTime::now(); |
There was a problem hiding this comment.
We should be using Instant::now() and instant.elapsed() instead here instead of SystemTime as it is panic/Result-free and possibly a little more accurate/less overhead
There was a problem hiding this comment.
Good point! This change should be the followup since we are using this everywhere in blockchain-api.
geekbrother
force-pushed
the
feat/revoking_session
branch
from
066d1ce to
b06a332
Compare
src/handlers/sessions/context.rs
Outdated
| state.metrics.add_irn_latency(irn_call_start, "hget".into()); | ||
| state | ||
| .metrics | ||
| .add_irn_latency(irn_call_start, OperationType::Hget.into()); |
There was a problem hiding this comment.
Good to change to enum but I would go a step further and convert the enum into a string inside add_irn_latency()
There was a problem hiding this comment.
Done 3ddc187. Thanks!
I missed that we need to check the request signature later, we need to get the verifying key for that. If the PCI not exists we can't verify/authorize the request. |
You only need to verify it if you are going to perform an action. If the action is already performed then you are good. |
Changed it. We are returning OK and warn on it now. |
Description
This PR implements the permission context revoking endpoint
/v1/sessions/{address}/revokeaccording to the API SPEC draft.For the request authentication, the signature (signed message) is used.
As a signing message, the permission controller unique identifier is used (PCI) and signed by the signing key (created during the session creation request).
Then the signature is verified at the server by the verification key which is stored during the session creation in the permission session object.
How Has This Been Tested?
Due Diligence