Is your feature request related to a problem? Please describe.
Currently to authorize a graphql query all parameters have to be in the body of
the post request. Many tools like the grafana infinity data source
support adding authentication values via HTTP header, but do not support modifying the request body.
This makes it difficult to use them with the cloudbeaver graphql api.
Describe the solution you'd like
There are multiple ways to support authentication via headers. Two possible approaches are outlined below.
Option 1: Standard Auhtorization header
Suport using Authorization: Bearer <TOKEN> for authLogin.
The Reverse Proxy handler already apperts to support header-based authentication:
|
String role = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_ROLE_NAME), RPAuthProvider.X_ROLE_TE)); |
|
String firstName = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_FIRST_NAME), RPAuthProvider.X_FIRST_NAME)); |
|
String lastName = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_LAST_NAME), RPAuthProvider.X_LAST_NAME)); |
|
String fullName = request.getHeader(resolveParam(paramConfigMap.get(RPConstants.PARAM_FULL_NAME), RPAuthProvider.X_FULL_NAME)); |
This seems like the cleanest solution.
Option 2: Custom headers mapped into the credentials object
Allow custom headers to be injected into the credentials object when authenticating
|
getArgument(env, "credentials"), |
I would be happy to implement this or provide a POC.
Describe alternatives you've considered
Using the reverse proxy provider.
- Adds additional deployment complexity
- Weakens security by expanding the trusted surface area
Additional context
Below is an example request using Option 2, where authentication data is partially provided via HTTP headers:
echo -n 'Password123' | md5sum | tr a-z A-Z
curl http://localhost:8978/api/gql \
-Ss \
-X POST \
-H "Content-Type: application/json" \
-H "X-Cloudbeaver-user: admin123" \
-d @- <<'EOF'
{
"operationName": "authLogin",
"query": "
query authLogin($provider: ID!, $credentials: Object!, $useHeaders: Boolean) {
auth: authLogin(provider: $provider, credentials: $credentials, useHeaders: $useHeaders) {
userTokens {
userId
}
}
projects: listProjects{
id
global
shared
name
description
canEditDataSources
canViewDataSources
canEditResources
canViewResources
}
}
",
"variables": {
"provider": "local",
"useHeaders": true,
"credentials": {
"password": "42F749ADE7F9E195BF475F37A44CAFCB"
}
}
}
EOF
Is your feature request related to a problem? Please describe.
Currently to authorize a graphql query all parameters have to be in the body of
the post request. Many tools like the grafana infinity data source
support adding authentication values via HTTP header, but do not support modifying the request body.
This makes it difficult to use them with the cloudbeaver graphql api.
Describe the solution you'd like
There are multiple ways to support authentication via headers. Two possible approaches are outlined below.
Option 1: Standard
AuhtorizationheaderSuport using
Authorization: Bearer <TOKEN>forauthLogin.The Reverse Proxy handler already apperts to support header-based authentication:
cloudbeaver/server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/RPSessionHandler.java
Lines 97 to 100 in b0205e3
This seems like the cleanest solution.
Option 2: Custom headers mapped into the
credentialsobjectAllow custom headers to be injected into the
credentialsobject when authenticatingcloudbeaver/server/bundles/io.cloudbeaver.service.auth/src/io/cloudbeaver/service/auth/WebServiceBindingAuth.java
Line 43 in b0205e3
I would be happy to implement this or provide a POC.
Describe alternatives you've considered
Using the reverse proxy provider.
Additional context
Below is an example request using Option 2, where authentication data is partially provided via HTTP headers: