m-lab / token-exchange

70%

push

github

feat: implement client-integration token exchange (#7)

This diff implements token exchange for client integrations.

Here's the general design we are implementing:

1. organizations maintaining client integrations (e.g., Acme Inc embedding m-lab/ndt7-client-js to provide NDT to its users) register with the system and obtain 1+ API keys

2. Acme Inc provisions a backend `B` that stores its API keys

3. backend `B` receives a query for Acme Inc clients when they initiate running a NDT test

4. backend `B` queries m-lab/token-exchange to exchange one of its API keys with a short-lived JWT

5. backend `B` returns the JWT to the client

6. the client queries m-lab/locate including the JWT

7. m-lab/locate uses the JWT to route the client to the proper NDT server and/or to perform accounting and access control to prevent a single integration from overloading the platform

8. the JWT is included into the URLs to access m-lab/ndt-server where it is again used to perform access control

This diff specifically only implements the portion of this design pertaining to m-lab/token-exchange.

We take care of not storing the API key in Datastore. We use bcrypt instead to compare it to a known hash.

224 of 303 new or added lines in 7 files covered. (73.93%)

294 of 423 relevant lines covered (69.5%)

0.78 hits per line