Authorization and Authentication

The ROVI Data Hub deals with sensitive data by encrypting data it receives with a Fernet symmetric encryption key. To ensure that only authorized vendors can access the data, the system uses a secure authentication method based on JSON Web Tokens (JWT). This document provides a detailed description of the authentication method used in the FastAPI application to encrypt the data stored in Redis.

Generating New Tokens

For those with server access, new tokens can be generated by sshing to the server and running the following command:

cd /data/rovi  # cd into the shared directory
./generate_tokens <space separated list of vendor_ids to generate tokens for>

This will automatically restart the docker-compose stack to apply the new tokens.

Detailed Authentication Method Description

The authentication method implemented in this code uses JSON Web Tokens (JWT) for securing access to the FastAPI endpoints. The system is designed to authenticate vendors by generating and verifying JWTs. Here's an overview of how the authentication works: 1. Secret Key and Algorithm

* `SECRET_KEY`: The `SECRET_KEY` is used to sign and verify the JWT tokens. It is retrieved from the environment variable `SECRET_KEY` or defaults to `"my-secret-key"` if not set.
* `ALGORITHM`: The algorithm used to sign the JWT tokens is HS256, a symmetric encryption algorithm.

  1. ROVI Tokens

    • ROVI_TOKENS: This environment variable contains a list of pre-generated tokens (separated by commas) that are recognized by the system. These tokens can be used for service-to-service authentication.

  2. Token Generation: generate_rovi_tokens

    • This function generates JWT tokens for a specified number of vendors or a list of vendor names.
    • Parameters:
      • n_vendors: Optional integer specifying the number of vendor tokens to generate.
      • names: Optional list of strings specifying the names of vendors for which tokens are generated.
    • Functionality:
      • If both names and n_vendors are not provided, it raises a ValueError.
      • It generates a JWT for each vendor with a payload containing the vendor name.
      • Returns a list of JWT tokens.

  3. Token Verification: verify_token

    • This function verifies the provided JWT token to ensure it is valid.
    • Parameters:
      • token: The JWT token provided by the client (extracted from the OAuth2 scheme).
    • Functionality:
      • The token is decoded using the SECRET_KEY and ALGORITHM.
      • If the token is invalid or cannot be decoded, an HTTP 401 Unauthorized error is raised.
    • Returns:
      • The decoded token payload if the token is valid.

  4. Identity Extraction: extract_identity

    • This function extracts the vendor identity from the JWT token.
    • Parameters:
      • token: The JWT token provided by the client.
    • Functionality:
      • The token is verified using verify_token.
      • The function extracts the "vendor" field from the decoded token payload.
      • If the "vendor" field is missing or invalid, an HTTP 401 Unauthorized error is raised.
    • Returns:
      • The vendor identifier (vendor_id) extracted from the token payload.

Example Usage

Generating Tokens:

rovi_tokens = generate_rovi_tokens(names=["vendor_1", "vendor_2"])
print(rovi_tokens)

This will generate JWT tokens for vendor_1 and vendor_2.

Extracting Identity:

for rovi_token in rovi_tokens:
    print(extract_identity(rovi_token))

This will print the identities (vendor_1, vendor_2) extracted from the tokens.

Security Considerations

  • JWT Signing: The tokens are signed with a secret key using the HS256 algorithm. Ensure the SECRET_KEY is kept secure and not exposed.
  • Token Verification: Always verify tokens before trusting them, as implemented in verify_token.
  • Environment Variables: Ensure the environment variables like SECRET_KEY and ROVI_TOKENS are securely managed and not hardcoded in the source code.

Summary

This authentication method provides a secure and flexible way to manage access control in the FastAPI application by using JWT tokens. It ensures that only authorized vendors can access the protected endpoints by verifying their identity through signed tokens.