Accessing Google Cloud Services from Sandstorm app
12 views
Skip to first unread message
Jay Gischer
Apr 2, 2024, 6:41:13 PMApr 2
to Sandstorm Development
It looks to me as if GCS uses Authentication Bearer tokens to authorize access.
Unfortunately, Sandstorm's powerbox *also* uses Authentication Bearer tokens to grant access and direct queries.
I think this means that I can't have a grain make requests to GCS, and that I have to look for some other way to do things. (Maybe I can homebrew and sign requests on the grain, since signed requests don't require bearer tokens.)
Am I wrong about this? I really hope I'm wrong about this.
Jacob Weisz
Apr 3, 2024, 2:37:58 PMApr 3
to sandst...@googlegroups.com
That sounds possibly correct based on my reading of https://docs.sandstorm.io/en/latest/developing/powerbox/
I don't think there's a compelling reason to not let Sandstorm apps make requests using bearer tokens.
I did read a little bit about passing multiple tokens, and it sounds like one can send `Authorization: Bearer xxx, Bearer yyy` to include two different Bearer tokens in an authorization header. But I don't know (and am probably ill-equipped to test) whether Sandstorm strips the header entirely on an outbound request or not, or if either Sandstorm or GCS would balk at receiving a request with two bearer tokens.
--You received this message because you are subscribed to the Google Groups "Sandstorm Development" group.To unsubscribe from this group and stop receiving emails from it, send an email to sandstorm-de...@googlegroups.com.To view this discussion on the web visit https://groups.google.com/d/msgid/sandstorm-dev/CAHCFCnMM8mJjFKYkKqai33TL8JxJVpDB9S3aqegybD%3DE1mx9fA%40mail.gmail.com.
Jay Gischer
Apr 4, 2024, 3:28:32 PMApr 4
to Sandstorm Development
I looked at the bridge_proxy code (bridge_proxy.c++) and found this:
KJ_IF_MAYBE(auth, headers.get(hAuthorization)) {
if (auth->startsWith("bearer ") || auth->startsWith("Bearer ")) {
auto token = auth->slice(strlen("bearer "));
auto service = getHttpSession(token);
return dispatchToSession(kj::mv(service), method, url, headers, requestBody, response);
}
}
if (auth->startsWith("bearer ") || auth->startsWith("Bearer ")) {
auto token = auth->slice(strlen("bearer "));
auto service = getHttpSession(token);
return dispatchToSession(kj::mv(service), method, url, headers, requestBody, response);
}
}
From this I conclude that no, multiple Bearer tokens are not handled by Sandstorm. There's no attempt to parse a comma separated list here, so this code would fail to find the bearer token it needs. However, it also passes along the Authorization header, it doesn't appear to be deleted, though I could be wrong about that. More than one Authorization header is non-conformant, though it probably would work here as long as the one Sandstorm wants is first. It would then pass both along to GCS, and who knows what would happen there. We don't have the source to those servers.
If I knew a bit more about Sandstorm, I could attempt a fix here that A) looked for multiple Bearer tokens B) Searched the list for one that was registered with me and C) deleted that from the Authorization header and passed the rest along. Frankly, I think it should likely remove the Authorization header if it contains nothing but the Sandstorm bearer token, but there may be a reason to keep it, I'm not quite enough of an expert to be sure of that.
To view this discussion on the web visit https://groups.google.com/d/msgid/sandstorm-dev/cef3b969-6deb-465c-9d94-a1ecda5591aa%40app.fastmail.com.
Reply all
Reply to author
Forward
0 new messages