Flamenco-Server Proposal: Open Manager Interface calls to local users #54587
Currently, only users logged in via blender id can use the manager's interface actions, such as create_new(), revoke_auth_token(), as well as the PATCH eve call used to edit managers.
This is because the only method being used to authenticate users is the validate_token() method that is ran before every request is processed.
The validate_token() can find a user if one of the following is true:
- a token is provided via a Bearer Authorization header.
- a blender id token is provided via a session cookie.
My proposal is to change the second option to not only accept blender id tokens, but any other provided token that is stored in the database and is provided via the session cookie.
This looks as easy as grabbing the session from flask and then taking the user_id from that session and validating based on that user id.
I'm not sure why we aren't just using flask_login to authenticate these routes however, since it's already authenticating via session cookie anyways. Maybe flask_login doesn't handle login via the blender_id cookie?
If the goal is not to use session cookies, then the front end needs to be altered to use Bearer Tokens instead, and then the validate_token method needs to not check for session cookies at all... I think.
The create new manager and revoke existing token endpoints are easy to fix.
The problem I'm running into now is with editing a manager.
The interface uses the flamenco/manager patch method, which goes through Pillar's patch_handler, which uses authorization.require_login.
I feel like it would be too intrusive to edit the patch_manager, since that's a part of pillar itself.
I think the best solution for allowing a local user to edit a manager, would be to create an actual edit route, that does not use the patch_handler.
This would more closely mirror pillar's project edit workflow.
But I'm curious what you think @fsiddi
Hello Kael, unfortunately I'm very busy with other projects at the moment. I'll come back to this conversation later next week.
Hey @fsiddi , I ended up becoming busy myself with another project as well, but am freed up now and am looking into this again.
Would you have time to look at this, perhaps?
I'm going to have to re-acclimate myself to the project again, but once I do I'd like to go ahead and implement this if it sounds like the right direction to go.
Hi Kael - same here unfortunately. I'm definitely interested in looking into this, but it might take some time. I'll keep you posted!
Hi, thanks for your patch.
We are undergoing a Tracker Curfew where we are automatically closing old patches.
If you think the patch is still relevant please update and re-submit it. For new features make sure there is a clear design from the user level perspective.
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?