-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
11 changed files
with
173 additions
and
73 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
--- | ||
title: 'Auth Webhook' | ||
order: 80 | ||
--- | ||
|
||
## Auth Webhook | ||
|
||
### Overview | ||
|
||
An Auth Webhook enables fine-grained access control for your application by validating client requests through an external authentication server. | ||
This mechanism allows you to implement custom authorization logic, ensuring that only authorized users can perform specific operations on Yorkie documents. | ||
|
||
``` | ||
(5) Response (4) Handle request | ||
┌─────────────────┐ ┌──┐ | ||
│ │ │ │ (3) Response | ||
▼ │ ▼ │ - allowed | ||
┌──────┐ ┌┴─────┤ - reason ┌───────────────┐ | ||
│Client├────────────►│Server│◄──────────────┤External Server│ | ||
└──────┘ (1)Request └────┬─┘ └───────────────┘ | ||
- token │ ▲ | ||
- dockey └──────────────────────┘ | ||
(2) Call webhook | ||
- token | ||
- dockey | ||
- verb: r or rw | ||
``` | ||
|
||
The workflow follows these steps: | ||
1. Client makes a request with an authentication token | ||
2. Yorkie server forwards the request details to your webhook server | ||
3. Your webhook server validates the request and returns a response | ||
4. Based on the webhook response, Yorkie server either processes or rejects the original request | ||
|
||
### Setup and Configuration | ||
|
||
#### 1. Configure the Auth Webhook | ||
|
||
The simplest way to set up Auth Webhook is through the [Dashboard]({{DASHBOARD_PATH}}): | ||
- Navigate to the Project Settings page in the Dashboard | ||
- Configure the webhook URL and specify the methods to be authenticated | ||
|
||
<Image alt="setting auth-webhook" src="/assets/images/docs/auth-webhook-dashboard.png" width={1300} height={840} style={{ maxWidth: '1000px' }} /> | ||
|
||
You can also use the Yorkie CLI. Refer to the [updating the project](/docs/cli#updating-the-project). | ||
|
||
<Alert status="warning"> | ||
- Configuration changes may take up to 10 minutes to take effect. | ||
- If an Auth Webhook URL is set without specifying methods, authentication will be performed for ALL methods. | ||
- To disable authentication completely, you must remove the Auth Webhook URL. | ||
</Alert> | ||
|
||
#### 2. Client Configuration | ||
|
||
Use the `authTokenInjector` option when creating a client to provide authentication tokens: | ||
|
||
```javascript | ||
const client = new yorkie.Client('{{API_ADDR}}', { | ||
authTokenInjector: async (reason) => { | ||
// Handle token refresh logic based on webhook response | ||
if (reason === 'token expired') { | ||
return await refreshAccessToken(); | ||
} | ||
return accessToken; | ||
}, | ||
}); | ||
``` | ||
|
||
The authTokenInjector will be called again with the webhook's response reason if a `codes.Unauthenticated` error occurs, allowing the system to refresh tokens. | ||
|
||
#### 3. Webhook Request Format | ||
|
||
When a client makes a request, the server sends the following information to your webhook server: | ||
|
||
```json | ||
{ | ||
"token": "SOME_TOKEN", // Token from authTokenInjector | ||
"method": "PushPull", // Method being called: ActivateClient, DeactivateClient, AttachDocument, DetachDocument, WatchDocuments | ||
"documentAttributes": [{ | ||
"key": "DOCUMENT_KEY", // Document key | ||
"verb": "r" // Access level: 'r' or 'rw' | ||
}] | ||
} | ||
``` | ||
|
||
#### 4. Webhook Response Format | ||
|
||
Your webhook server should respond with: | ||
|
||
```json | ||
{ | ||
"allowed": true, // Authorization decision | ||
"reason": "ok" // Optional explanation | ||
} | ||
``` | ||
|
||
HTTP Status Codes: | ||
- `200 OK`: Request is authorized | ||
- `401 Unauthenticated`: Token is invalid or missing | ||
- `403 Permission Denied`: Token is valid but lacks required permissions | ||
|
||
#### 5. Error Handling and Recovery | ||
|
||
- Successful Authorization (200 + allowed:true) | ||
- Request proceeds normally | ||
- No special handling required | ||
- Permission Denied (403 + allowed:false) | ||
- Request fails with `codes.PermissionDenied` | ||
- Unauthenticated (401 + allowed:false) | ||
- System attempts token refresh via `authTokenInjector` | ||
- For `PushPull` in realtime sync mode and `WatchDocuments`: | ||
- Automatically retries after token refresh | ||
- Notifies via [`document.subscribe('auth-error')`](/docs/js-sdk#documentsubscribeauth-error) | ||
- For Other Methods: | ||
- Requires manual retry when handling `codes.Unauthenticated` error |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
--- | ||
title: 'Internals' | ||
order: 90 | ||
order: 100 | ||
--- | ||
|
||
## Internals | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
--- | ||
title: 'Self-Hosted Server' | ||
order: 80 | ||
order: 90 | ||
--- | ||
|
||
## Self-Hosted Server | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
--- | ||
title: 'AWS EKS Installation' | ||
order: 82 | ||
order: 92 | ||
--- | ||
|
||
## AWS EKS Installation | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
--- | ||
title: 'Cluster Addons Installation' | ||
order: 83 | ||
order: 93 | ||
--- | ||
|
||
## Cluster Addons Installation | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,6 +1,6 @@ | ||
--- | ||
title: 'Minikube Installation' | ||
order: 81 | ||
order: 91 | ||
--- | ||
|
||
## Minikube Installation | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -526,6 +526,11 @@ html { | |
height: 100%; | ||
} | ||
} | ||
|
||
ul, | ||
ol { | ||
margin: 0; | ||
} | ||
} | ||
|
||
.btn_box { | ||
|