Data based Authorization

In some settings, it may be desirable to restrict access to particular datasets to particular individuals. The identity of users is typically passed via HTTP request headers such as the Cookie or Authorization headers. We expect that the precise mechanism will vary greatly. In order to support this with maximum flexibility, we propose to add a is_authorized(descriptor): Boolean method to the ItemSource interface. is_authorized will be called prior to CacheEntry.serve_content to verify that the user is allowed to access the indicated path. The default implementation for the provided FileItemSource and S3ItemSource always return true; an example implementation that requires that a meaning-of-life Cookie containing the text 42 could look as follows:

from flask import request
from cellxgene_gateway.gateway import item_sources, launch
from cellxgene_gateway.items.file.fileitem_source import FileItemSource
import os

class AdamsFileItemSource(FileItemSource):
  def is_authorized(self, descriptor: str):
    cookie = request.cookies.get('meaning-of-life', '')
    return cookie.find('42') != -1

cellxgene_data = os.environ.get("CELLXGENE_DATA", None)
item_sources.append(AdamsFileItemSource(cellxgene_data, "adams"))
launch()

In order to view a dataset, you can set the cookie in the javascript console with something like

document.cookie = "meaning-of-life=42; expires=Thu, 18 Dec 2021 12:00:00 UTC; path=/";

if you delete the cookie by setting the expires date in the past, you should get a 403:

document.cookie = "meaning-of-life=42; expires=Thu, 18 Dec 2013 12:00:00 UTC; path=/";