Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate Merchant API Key #21

Open
sblabreu opened this issue Mar 23, 2021 · 2 comments
Open

Generate Merchant API Key #21

sblabreu opened this issue Mar 23, 2021 · 2 comments

Comments

@sblabreu
Copy link
Collaborator

sblabreu commented Mar 23, 2021
edited
Loading

In order to be able to create Rules , Rule Groups and Rule Sets, in the header should contain an API Key.

The proposal mechanism to create api_keys is as follows:

  • Admin creates the merchant and it's Payload schema.
  • The payload schema is encoded in Json
  • Generating an HMAC string
  • Base encode64

Example in Elixir:

 iex(20)> :crypto.hmac(:sha256, "1", Jason.encode!(schema_test)) |> Base.encode64(padding: false)
"U4y283Xj4mVJ7hZcMMoThvzp7CY8Q1yIS4lYo8w1kuM"

The result should be the API Key to be used for all Calls from this merchant.

--header 'Content-Type: application/json' \
--header 'x-fre-origin: 1' \
--header 'Authorization: U4y283Xj4mVJ7hZcMMoThvzp7CY8Q1yIS4lYo8w1kuM' \
@jambtc
Copy link
Collaborator

jambtc commented Mar 24, 2021

This example doesn't work, because the two systems must have a common secret key to communicate each other and the sign must have the secret.
Then, I think it's better that the backend and the rules engine have saved their secret api key somewhere. (the backend save it in mysql table in a crypted field). I remember that we have already generated the key pair, otherwise we can generate a new one.

Example in Elixir:

iex(20)> :crypto.hmac(:sha256, "1", "SECRET_KEY") |> Base.encode64(padding: false)
"U4y283Xj4mVJ7hZcMMoThvzp7CY8Q1yIS4lYo8w1kuM"

We have a similar API Key to be used for calls.

--header 'Content-Type: application/json' \
--header 'x-fre-origin: 1' \
--header 'Authorization: U4y283Xj4mVJ7hZcMMoThvzp7CY8Q1yIS4lYo8w1kuM' \

But the Rules Engine can verify the sign in this way: get x-fre-origin and generate the sign with its SECRET_KEY. If the generated sign is equal to header Autorizazion the sign is valid and can permit to generate the schema that was sent in the payload.
Wwhat do you think about it?

@sblabreu sblabreu mentioned this issue Mar 24, 2021
Closed
@sblabreu
Copy link
Collaborator Author

As discussed the Planned actions :

  • add a new field api_key to the payloadSchema table. as follows

From:

  schema "payloadschemas" do
    field :merchant_id, :string
    field :schema, :map

    timestamps()
  end

to:
` schema "payloadschemas" do
field :merchant_id, :string
field :schema, :map
field :crypted_api_key, :string
field :api_key, :string, virtual: true

timestamps()

end`

  • Update the payload schema API to include the api_key field for create/update schema
    Then as suggested in previous comments.
  • on the HTTP API pipeline fetch the Authorization header and merchant_id, query payload schema table the api_key for the merchant_id and calculate the sign which should be equal to the Authorization header.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sblabreu @jambtc