Skip to content

Improve AuthTokenManager interface and factory method #1123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Aug 22, 2023
Merged

Improve AuthTokenManager interface and factory method #1123

merged 13 commits into from
Aug 22, 2023

Conversation

@bigmontz
Copy link
Contributor

@bigmontz bigmontz commented Aug 9, 2023
edited
Loading

⚠️ This API is released as preview.

Currently, the AuthTokenManager is designed to handle token expiration only. The AuthTokenManager interface only has methods to receive notifications on security errors related to token expiration: AuthTokenManager.onTokenExpired. The provided implementation neo4j.expirationBasedAuthTokenManager is built to support only token expiration. However, we also want to cater for password rotation scenarios.

Factory Method Changes

Expiration based and bearer tokens

The method neo4j.expirationBasedAuthTokenManager was renamed and moved to neo4j.authTokenManagers.bearer.

import neo4j, { AuthToken } from 'neo4j-driver'

/**
 * Method called whenever the driver needs to refresh the token.
 *
 * The refresh will happen if the driver is notified by the server
 * about a token expiration or if the `Date.now() > tokenData.expiry`
 *
 * Important, the driver will block all the connections creation until
 * this function resolves the new auth token.
 */
async function fetchAuthTokenFromMyProvider () {
   const bearer: string = await myProvider.getBearerToken()
   const token: AuthToken = neo4j.auth.bearer(bearer)
   const expiration: Date = myProvider.getExpiryDate()  
   return {
      token,
      // if expiration is not provided, 
      // the driver will only fetch a new token when a failure happens
      expiration 
   }
}

const driver = neo4j.driver(
    'neo4j://localhost:7687', 
    neo4j.authTokenManagers.bearer({ 
        tokenProvider: fetchAuthTokenFromMyProvider 
    })
)

Password rotation and basic auth

neo4j.authTokenManagers.basic was added to handle password rotation with AuthTokenManager.

import neo4j, { AuthToken } from 'neo4j-driver'

/**
* Method called whenever the driver needs to refresh the token.
*
* Important, the driver will block all the connections creation until
* this function resolves the new auth token.
*/
async function fetchMyUserAndPassword () {
  const { user, password } = await myProvider.getUserAndPassword()
  return neo4j.auth.basic(user, password)  
}

const driver = neo4j.driver(
   'neo4j://localhost:7687', 
   neo4j.authTokenManagers.basic({ 
       tokenProvider: fetchMyUserAndPassword 
   })
)

Development checklist

  • Update AuthTokenManager interface
  • Change expirationBasedAuthTokenManager factory name to authTokenManagers.bearer
  • Add authTokenManagers.basic factory
  • Adapt testkit-backend

⚠️ This API is released as preview.

@bigmontz bigmontz force-pushed the 5.x-password-rotation branch from bb25000 to 565b0c2 Compare August 10, 2023 12:26
@bigmontz bigmontz marked this pull request as ready for review August 15, 2023 10:57
bigmontz added 13 commits August 22, 2023 15:09
@bigmontz
Improve AuthTokenManager interface and factory method
6549380 
Currently, the AuthTokenManager is designed to handle token expiration only. The AuthTokenManager interface only has methods to receive notifications on security errors related to token expiration: AuthTokenManager.onTokenExpired.
The provided implementation `neo4j.expirationBasedAuthTokenManager` is built to support only token expiration. However, we also want to cater for password rotation scenarios.
@bigmontz
Move expirationBaseAuthTokenManager to authTokenManagers.bearer
8fbd3b3
@bigmontz
Add basic authtokenmanager
4a823ee
@bigmontz
Tests for authTokenManagers.basic() and for authTokenManagers.basic()…
0c9b9c3 
….handleSecurityException()
@bigmontz
Tests for authTokenManagers.basic()
471ebd1
@bigmontz
Add tests to authTokenManagers.bearer()
a4b5321
@bigmontz
sync deno
ae5c23e
@bigmontz
Add tests for expiration
8b186dd
@bigmontz
Docs
0909f29
@bigmontz
Adapt backend to new provider calls for Basic and Bearer tokens
3ab1ac5
@bigmontz
Add support for retryable property on testkit
8cf7e4e
@bigmontz
Handle SecurtyError instead of Auth errors
f35e44c
@bigmontz
Sync Deno and adapt testkit-backend
a0dd159
@bigmontz bigmontz force-pushed the 5.x-password-rotation branch from 44b4c5d to a0dd159 Compare August 22, 2023 13:10
@bigmontz bigmontz merged commit 0a1b20e into neo4j:5.0 Aug 22, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ConorNeo ConorNeo ConorNeo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bigmontz @ConorNeo