fix: do not sign requests that have optional auth #3671
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Jordan-Nelson
force-pushed
the
feat/optional-auth
branch
from
cfa01d4 to
4db8eda
Compare
Jordan-Nelson
force-pushed
the
feat/optional-auth
branch
from
4db8eda to
b4debde
Compare
Jordan-Nelson
changed the title
dnys1
reviewed
Sep 1, 2023
| } | ||
| rethrow; | ||
| } | ||
| // Do not attempt to sign requests where auth is optional. |
There was a problem hiding this comment.
Suggested change
| // Do not attempt to sign requests where auth is optional. | |
| // Do not attempt to sign requests where auth is optional. | |
| // | |
| // This is only set in Cognito and SSO services where the trait indicates | |
| // that signing is strictly unnecessary and that signing the request does | |
| // not impact the behavior of the APIs. |
Wondering if we should put a check in place in smithy_codegen which throws if we encounter an @optionalAuth trait which is not in one of these services 🤔
There was a problem hiding this comment.
For example, we could add this to packages/smithy_codegen/lib/src/generate.dart:
/// Asserts that the `@optionalAuth` trait is only present in Cognito and SSO
/// services, where we know the behavior is that signing is strictly unnecessary.
///
/// Any other services which onboard this trait must be validated for the same behavior
/// before we can generate for them.
class _AssertOptionalAuthVisitor extends CategoryShapeVisitor<Shape> {
const _AssertOptionalAuthVisitor();
/// The list of known services where `@optionalAuth` is present and its behavior has
/// been verified.
static const _knownServices = [
'com.amazonaws.cognitoidentity',
'com.amazonaws.cognitoidentityprovider',
'com.amazonaws.sso',
'com.amazonaws.ssooidc',
];
@override
EnumShape enumShape(EnumShape shape, [Shape? parent]) => shape;
@override
ListShape listShape(ListShape shape, [Shape? parent]) => shape;
@override
MapShape mapShape(MapShape shape, [Shape? parent]) => shape;
@override
MemberShape memberShape(MemberShape shape, [Shape? parent]) => shape;
@override
OperationShape operationShape(OperationShape shape, [Shape? parent]) {
if (shape.hasTrait<OptionalAuthTrait>() &&
!_knownServices.contains(shape.shapeId.namespace)) {
throw StateError(
'Shape has @optionalAuth but it is not from a validated service: '
'${shape.shapeId}',
);
}
return shape;
}
@override
ResourceShape resourceShape(ResourceShape shape, [Shape? parent]) => shape;
@override
ServiceShape serviceShape(ServiceShape shape, [Shape? parent]) => shape;
@override
SetShape setShape(SetShape shape, [Shape? parent]) => shape;
@override
SimpleShape simpleShape(SimpleShape shape, [Shape? parent]) => shape;
@override
StructureShape structureShape(StructureShape shape, [Shape? parent]) => shape;
@override
UnionShape unionShape(UnionShape shape, [Shape? parent]) => shape;
}There was a problem hiding this comment.
Updated the comment.
As for the check, I think we have to be able to assume traits mean the same thing across services. In this case "optionalAuth" means that signing the request is not required, has no impact on the behavior.
Jordan-Nelson
force-pushed
the
feat/optional-auth
branch
from
b4debde to
3de7c25
Compare
Jordan-Nelson
force-pushed
the
feat/optional-auth
branch
from
3de7c25 to
a3294c0
Compare
Equartey
reviewed
Sep 21, 2023
Comment on lines
+204
to
+205
| await Amplify.Auth.getCurrentUser(); | ||
| return true; |
There was a problem hiding this comment.
Does this throws if it can't get the user?
dnys1
previously approved these changes
Sep 21, 2023
packages/auth/amplify_auth_cognito_test/test/state/sign_in_state_machine_test.dart
Outdated
Show resolved
Hide resolved
Equartey
previously approved these changes
Sep 21, 2023
Co-authored-by: Dillon Nys <[email protected]>
Equartey
approved these changes
Sep 22, 2023
dnys1
approved these changes
Sep 22, 2023
13 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
WithSigV4to not sign requests that have optional authBy submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.