Skip to content

feat(athena): Auth module #601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 31 commits into
base: main
Choose a base branch
from
Open

feat(athena): Auth module #601

wants to merge 31 commits into from
+1,407 −38

Conversation

@bkioshn
Copy link
Contributor

@bkioshn bkioshn commented Oct 24, 2025
edited
Loading

Description

The Athena auth module replicates the authentication and authorization behavior of cat-gateway.

Auth Levels:

  • AuthLevel::Required - Full validation is mandatory
  • AuthLevel::Optional - Token is validated if present; skipped if absent
  • AuthLevel::None - No validation performed

Reference Documentation:
For complete implementation details and specifications, refer to the Catalyst Standards Documentation.

Related Issue(s)

Closes https://github.com/input-output-hk/catalyst-internal-docs/issues/326

Notes

  • src/database and src/rbac are redundant to what is in rbac-registration module, this should be moved to share in the later PR. No need to review these files
  • api_key.rs , token.rs, validation.rs are extracted from cat-gateway and slightly modified to make it work in Athena.
  • The main implementation is in the lib.rs
  • Open-api spec is not yet done

Tests

The test is made by running the whole Athena app using just build-run-all

The bearer token is generated using functionality in https://github.com/input-output-hk/catalyst-voices/tree/main/catalyst-gateway/tests/api_tests/integration

There is a hardcode information (cat id, signing key etc) that is used to create the Auth token. The hardcode cat id is a valid registration and exist in Cardano preprod

Please note that if this token is used to test again, it will be invalid due to expired nonce.

Success 200

curl -v -X GET \
  -H "Host: app.hermes.local" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer catid.:[email protected]/0KGVpkXVe5-h1RfIb08Mnc-xMZTzSX5VVnPDaHvhrqQ.aYCoRyWc-8fxtnBTvFxmVzNLUCT3d5ebHe6ZrLvO2xaPRmkwqQLY5BU51uQulfHqj3Zdr8DlMALcpyP9UwltBQ" \
  "http://localhost:5000/api/v1/registration?lookup=preprod.cardano/-oJaY9wntIVvpNzJivGmWJHTZahFSfGZNSFM1bnBHG4"
Note: Unnecessary use of -X or --request, GET is already inferred.
* Host localhost:5000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:5000...
* connect to ::1 port 5000 from ::1 port 34122 failed: Connection refused
*   Trying 127.0.0.1:5000...
* Connected to localhost (127.0.0.1) port 5000
> GET /api/v1/registration?lookup=preprod.cardano/-oJaY9wntIVvpNzJivGmWJHTZahFSfGZNSFM1bnBHG4 HTTP/1.1
> Host: app.hermes.local
> User-Agent: curl/8.5.0
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer catid.:[email protected]/0KGVpkXVe5-h1RfIb08Mnc-xMZTzSX5VVnPDaHvhrqQ.aYCoRyWc-8fxtnBTvFxmVzNLUCT3d5ebHe6ZrLvO2xaPRmkwqQLY5BU51uQulfHqj3Zdr8DlMALcpyP9UwltBQ
> 
< HTTP/1.1 200 OK
< content-type: application/json
< content-length: 1112
< date: Fri, 24 Oct 2025 07:10:49 GMT
< 
{"catalyst_id":"preprod.cardano/-oJaY9wntIVvpNzJivGmWJHTZahFSfGZNSFM1bnBHG4","last_persistent_txn":"0xd8a21ec3e89e6f38abad03cbff284e6e353fe6e8f56d8648712caf0c60579ce8","purpose":["ca7a1457-ef9f-4c7f-9c74-7f8c4a4cfa6c"],"roles":{"0":{"signing_keys":[{"is_persistent":true,"time":"2025-09-15T14:34:16+00:00","key_type":"x509","key_value":"0x308201173081caa00302010202045b2a4d4d300506032b657030003022180f32303235303931353134333335335a180f39393939313233313233353935395a3000302a300506032b6570032100fa825a63dc27b4856fa4dcc98af1a65891d365a84549f19935214cd5b9c11c6ea3623060305e0603551d110457305586537765622b63617264616e6f3a2f2f616464722f7374616b655f746573743175726a657437656c366c6e633466723866776c7136713432713574756830386770386a353772396a723370776d337172676a703866300506032b6570034100105397cb1da9a7af96a767d552045fde67748516d2ca529b2ab0f8fb4c0275d5b35db3455297509a3c31cea1b6ae2b3d982523f143d6065716e3614aaeb0cd0b"}],"payment_addresses":[{"is_persistent":true,"time":"2025-09-15T14:34:16+00:00","address":"addr_test1qr5c7ap3ty70c30v* Connection #0 to host localhost left intact
j5wfjqhwrq6c46nwlca295et02wvpe89jhanl4l832jxwja7p5p25pghew7wsz09fuxty8zzahzql5x5jf"}]}}}%

Invalid signature 403

curl -v -X GET \
  -H "Host: app.hermes.local" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer catid.:[email protected]/0KGVpkXVe5-h1RfIb08Mnc-xMZTzSX5VVnPDaHvhrqQ.YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQ" \
  "http://localhost:5000/api/v1/registration?lookup=preprod.cardano/-oJaY9wntIVvpNzJivGmWJHTZahFSfGZNSFM1bnBHG4"
# Expected: 403 Forbidden
Note: Unnecessary use of -X or --request, GET is already inferred.
* Host localhost:5000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:5000...
* connect to ::1 port 5000 from ::1 port 45226 failed: Connection refused
*   Trying 127.0.0.1:5000...
* Connected to localhost (127.0.0.1) port 5000
> GET /api/v1/registration?lookup=preprod.cardano/-oJaY9wntIVvpNzJivGmWJHTZahFSfGZNSFM1bnBHG4 HTTP/1.1
> Host: app.hermes.local
> User-Agent: curl/8.5.0
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer catid.:[email protected]/0KGVpkXVe5-h1RfIb08Mnc-xMZTzSX5VVnPDaHvhrqQ.YWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYQ
> 
< HTTP/1.1 403 Forbidden
< content-type: application/json
< content-length: 88
< date: Fri, 24 Oct 2025 07:10:30 GMT
< 
* Connection #0 to host localhost left intact
{"Forbidden":"Insufficient Permission for Catalyst RBAC Token: [\"INVALID SIGNATURE\"]"}%

Wrong format 401

curl -v -X GET \
  -H "Host: app.hermes.local" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer catid.id.catalyst://:[email protected]/0KGVpkXVe5-h1RfIb08Mnc-xMZTzSX5VVnPDaHvhrqQ.jqVYU2Yq24XDpLyKjCwqL3CBLhLy9ntgFNN_lEYjvyC-BpXeNoDp-0d7k7rU8kNhGcYCo4qx1Gj9YtAl3hlWBA" \
  "http://localhost:5000/api/v1/registration?lookup=preprod.cardano/-oJaY9wntIVvpNzJivGmWJHTZahFSfGZNSFM1bnBHG4"
# Expected: 401 Unauthorized
Note: Unnecessary use of -X or --request, GET is already inferred.
* Host localhost:5000 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:5000...
* connect to ::1 port 5000 from ::1 port 47188 failed: Connection refused
*   Trying 127.0.0.1:5000...
* Connected to localhost (127.0.0.1) port 5000
> GET /api/v1/registration?lookup=preprod.cardano/-oJaY9wntIVvpNzJivGmWJHTZahFSfGZNSFM1bnBHG4 HTTP/1.1
> Host: app.hermes.local
> User-Agent: curl/8.5.0
> Accept: */*
> Content-Type: application/json
> Authorization: Bearer catid.id.catalyst://:[email protected]/0KGVpkXVe5-h1RfIb08Mnc-xMZTzSX5VVnPDaHvhrqQ.jqVYU2Yq24XDpLyKjCwqL3CBLhLy9ntgFNN_lEYjvyC-BpXeNoDp-0d7k7rU8kNhGcYCo4qx1Gj9YtAl3hlWBA
> 
< HTTP/1.1 401 Unauthorized
< content-type: application/json
< content-length: 92
< date: Fri, 24 Oct 2025 07:07:04 GMT
< 
* Connection #0 to host localhost left intact
{"Unauthorized":"Fail to parse RBAC token string, err: Catalyst ID must be in an ID format"}%

Please confirm the following checks

  • My code follows the style guidelines of this project
  • I have performed a self-review of my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream module

bkioshn and others added 16 commits October 22, 2025 14:33
@bkioshn
define new event wit for auth
fd5fe2b 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
setup auth module
7d6caba 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
fix integration test
5d1719c 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
add auth level
e27f36c 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
implement auth
8310fda 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
fix typo
06d46d2 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
Merge branch 'main' into feat/auth-token
75466d3
@bkioshn
fix integration test
4074d8f 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
remove auth module
d0003ef 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
revert
c9d2edd 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
setup auth module
e78bf21 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
copy rbac related
857b2b1 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
add auth mod to just
9ef92e7 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
impl auth module
92e9063 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
Merge branch 'main' into feat/auth-token
d8b2be3
@bkioshn
typo
d22d1f9 
Signed-off-by: bkioshn <[email protected]>
@bkioshn bkioshn added the squad: hermetics Hermes Backend, System Development & Integration Team label Oct 24, 2025
@bkioshn bkioshn added this to Catalyst Oct 24, 2025
@bkioshn bkioshn marked this pull request as ready for review October 24, 2025 12:57
@bkioshn
fix cspell
e49f4ce 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
cleanup
324ab51 
Signed-off-by: bkioshn <[email protected]>
@bkioshn
cspell
0ea14d8 
Signed-off-by: bkioshn <[email protected]>
Base automatically changed from feat/auth-token to main November 4, 2025 14:57
cong-or
cong-or previously approved these changes Nov 5, 2025
View reviewed changes
Copy link
Contributor

@cong-or cong-or left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@bkioshn bkioshn added the do not merge yet PR is not ready to be merged yet label Nov 10, 2025
@bkioshn
update deps
1dad69f 
Signed-off-by: bkioshn <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cong-or cong-or cong-or left review comments

@stevenj stevenj Awaiting requested review from stevenj stevenj is a code owner

@rafal-ch rafal-ch Awaiting requested review from rafal-ch rafal-ch is a code owner

@no30bit no30bit Awaiting requested review from no30bit no30bit is a code owner

@aido-mth aido-mth Awaiting requested review from aido-mth aido-mth is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@bkioshn bkioshn

Labels

do not merge yet PR is not ready to be merged yet squad: hermetics Hermes Backend, System Development & Integration Team

Projects

Catalyst
Status: New

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bkioshn @cong-or @stevenj