Fix inconsistent auth/identity creation

[coolreader18]

Description of Changes

Now, in most cases, it'll create an identity if the user doesn't pass one.

Testing

spacetime init my_new_project --lang rust
cd my_new_project
spacetime publish my_module

# Make sure we can call a reducer with no identity
curl -X POST http://localhost:3000/database/my_module/say_hello

[bfops]

I think this mostly makes sense to me! I left some questions and confusions.

Also I have no idea if there's any automated test coverage we could/should be updating or anything 🤷

(I also left some notes for other reviewers based on my read-through; I'm not looking for a response from you on those! 🙂)

[bfops]

sorry, sanity-check - is this type serialized+deserialized anywhere besides via the Credentials trait? are we breaking compatibility with anything on some disk / over the wire / etc?

[coolreader18]

Yeah, nowhere else - it's just for Credentials.

[bfops]

probably a dumb question... why do only some of these routes get the ctx? Since the function is generic, I'd kind of expect it to just pass along ctx to everything?

[coolreader18]

Limitations of axum, sorta - the middleware needs access to ctx, but axum doesn't let middleware access the state from the router, so you have to double up on passing the state.

[bfops]

note for review: this got moved into the auth_middleware

[bfops]

note for review: this outer if got eaten by the change to SpacetimeAuthRequired

[bfops]

sorry, this one's confusing me - why did this change / is it the same behavior?

[coolreader18]

Same behavior, yeah, just more idiomatic.

[bfops]

where did CantDecodeAuthorizationToken go?

[coolreader18]

That wasn't an error that could ever actually occur; we basically encoded the token to base64 and then decoded it from base64 and if the decoding failed we returned that error. It could've just been an unwrap() instead of a variant.

[bfops]

again, a dumb question - we used to do e.into_kind() and wrap it in a specific return - does this work fine if we just return the "bare" Err value here?

[coolreader18]

Yeah, the error handling before was unnecessarily complicated, this is equivalent.

[bfops]

I might be missing something simple.. why do we return Ok(()) into res, only to .map(|()| None) here? Couldn't we just => Ok(None) above?

[coolreader18]

Yeah, I guess, but then it would be a None that would never be Some. it doesn't much matter I suppose, it could be Ok(None), the logic is just kinda convoluted and I was trying to preserve it while making it idiomatic.

[bfops]

Summary of changes, I think:

• Restructuring SpacetimeCreds datatype
• Factoring out helper functions, especially in SpacetimeCreds + SpacetimeAuthHeader
• Add SpacetimeAuthRequired
• Plumb a ctx parameter through our routes
• Add auth_middleware to create identities "on the fly" (and return them if appropriate)
• Wrap a bunch of routes in auth_middleware

[bfops]

Okay, I think this looks good to me - thank you for explaining everything!

[bfops]

I did another review pass, and had a few more comments

[bfops]

what do you think about renaming this to something more descriptive? e.g. anonymous_auth_middleware?

[coolreader18]

Not fully opposed, but I feel that this is descriptive enough as is - it's a feature of our auth system that you don't actually need to be auth'd, that we'll generate an identity for you. So this is the full auth middleware; it does do standard authentication (verify you are who you say you are), not just anonymous auth.

[coolreader18]

The only places we don't generate it for you is where it doesn't make any sense to - but there's no urgent reason to disallow e.g. set_email on an anonymous identity, just that it doesn't make much sense and is likely a mistake.

[bfops]

Our reviewers are a bit bottlenecked, and I don't think we should necessarily trust me as solo-reviewer yet 😅 - I moved just the auth.rs changes into their own refactor PR, on the hope that might make it easier to get review on everything. What do you think?

[bfops]

nit: this one ends up doing a auth.identity != identity check anyway, so would anonymous auth be fine like the others?

[coolreader18]

I think given we're validating the token - it makes sense to require a token to validate against. If you don't pass a token to validate_token it was probably a mistake.

[bfops]

why did this get to be removed?

[coolreader18]

Tidying up auth stuff, I guess. serde_with can do this conversion for us.

[bfops]

Ah I see the new serde_with line. Seems reasonable.

[bfops]

to double-check: are these always added by a different layer of the stack right now? even for things that don't use the auth_middleware?

[coolreader18]

No, only for anon_auth_middleware routes. However, the only routes that added the headers before now have anon_auth_middleware, so it's fine.

[bfops]

ah sorry I didn't look at where this was 😅 thank you!

[bfops]

(review note: I think this used to fail if auth wasn't present, but it's fine because we check for a specific identity below)

[cloutiertyler]

We do check. What's happening here is that instead of returning an error if you are unauthenticated (not unauthorized), we will create an anon authenticated user for you (which will presumably not be authorized).

[bfops]

(review note: I think this used to fail if auth wasn't present, but it's fine because we check for a specific identity below)

[bfops]

(review note: I think this used to fail if auth wasn't present, but it's fine because delete_database checks the identity)

[bfops]

(review note: create_dns_record and/or delete_database and/or publish_database will fail if you're not the right identity anyway)

addressed comments - approve?

[cloutiertyler]

On a high level this looks good to me. Your review comments are very helpful @bfops

[bfops]

PR is already approved, but adding my own approval notes - I will vouch for the fact that all the individual route changes (e.g. which ones are now SpacetimeAuthRequired etc.) are faithful translations of the previous logic.

I left review notes where the logic changed a bit, but is effectively the same.

I did not have the capacity to verify the small refactorings, because I'm unfamiliar with the underlying libs.