Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add download files signature check #472

Merged
merged 5 commits into from
Dec 20, 2024
Merged

feat: Add download files signature check #472

merged 5 commits into from
Dec 20, 2024

Conversation

bgins
Copy link
Contributor

@bgins bgins commented Dec 16, 2024
edited
Loading

Summary

This pull request makes the following changes:

  • Add signature check to download files route
  • Add headers to GET requests
  • Rename GetAddressFromHeaders to CheckSignature
  • Update error messages and comments

This pull request adds a signature check to the download files route to ensure requests comes from the job creator that requested the job.

Task/Issue reference

Closes: #473

Test plan

Start the stack. Run a job. Run the integration tests. Everything should work as expected.

We have also included a temporary commit to test an incorrect signature:

lilypad/pkg/http/utils.go

Lines 323 to 324 in 08a1625

AddHeaders(req, privateKey, web3.GetAddress(privateKey).String())
// AddHeaders(req, privateKey, "whoops-wrong-address")

Comment line 323 and uncomment 324 to force a mismatch between the reported address and the one derived from the signature. Note that this test mechanism works because we do not check signatures on any other GET route (for now).

Note that error returned to the job creator when the signature fails does not correctly report an error message because we have yet to address: #424

We will remove the temporary commit before merging this PR.

Details

This pull request should be considered a minimal first step towards job output retrieval auth. In the future, we may want to implement decentralized auth to enable other actors to download job outputs.

@bgins bgins requested a review from a team as a code owner December 16, 2024 17:57
@cla-bot cla-bot bot added the cla-signed label Dec 16, 2024
walkah
walkah approved these changes Dec 18, 2024
View reviewed changes
Copy link
Collaborator

@walkah walkah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks as always for the detailed test plan. Works for me! 🚢

@bgins bgins force-pushed the bgins/feat-add-download-auth branch from 08a1625 to dfc2448 Compare December 19, 2024 23:18
@bgins bgins merged commit 6b880ec into main Dec 20, 2024
4 checks passed
@bgins bgins deleted the bgins/feat-add-download-auth branch December 20, 2024 00:15
@lilypad-releases lilypad-releases bot mentioned this pull request Dec 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@walkah walkah walkah approved these changes

Assignees
No one assigned
Labels
cla-signed feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add signature check to dowload files route
2 participants
@bgins @walkah