relay-proxy: Support API Keys validation to limit the applications being able to use GO Feature Flag

[dhanusaputra]

Description

The feature should meet the following requirements:

• The relay proxy should be modified to support a list of authorized API keys in the configuration.

will use APIKeys to initiate list of keys

• The authorized API keys list should be configurable.

configurable in goff.yaml

• The relay proxy should check the API keys in the Authorization header when receiving any requests and only allow requests with valid API keys.

use middleware.KeyAuthWithConfig to check the header with format: Bearer <key>

• Unauthorized requests should be rejected with an appropriate error message.

middleware.KeyAuthWithConfig.Validator will reject unauthorized requests

• The feature should not significantly impact the performance of the relay proxy.

basically will add one more process in middleware to check the header

Changes include

• Bugfix (non-breaking change that solves an issue)
• New feature (non-breaking change that adds functionality)
• Breaking changes (change that is not backward-compatible and/or changes current functionality)

Closes issue(s)

Resolve #613

Checklist

• I have tested this code
• I have added unit test to cover this code
• I have updated the documentation (README.md and /website/docs)
• I have followed the contributing guide

[netlify]

✅ Deploy Preview for go-feature-flag-doc-preview canceled.

Name	Link
🔨 Latest commit	99a39b4
🔍 Latest deploy log	https://app.netlify.com/sites/go-feature-flag-doc-preview/deploys/642c1c165e5cb30008330f97

[codecov]

Codecov Report

Merging #649 (99a39b4) into main (34d24f6) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #649   +/-   ##
=======================================
  Coverage   88.40%   88.40%           
=======================================
  Files          58       58           
  Lines        2605     2605           
=======================================
  Hits         2303     2303           
  Misses        252      252           
  Partials       50       50           

Impacted Files	Coverage Δ
cmd/relayproxy/config/config.go	95.31% <ø> (ø)
cmd/relayproxy/controller/all_flags.go	85.71% <ø> (ø)
cmd/relayproxy/controller/collect_eval_data.go	100.00% <ø> (ø)
cmd/relayproxy/controller/flag_eval.go	88.00% <ø> (ø)
cmd/relayproxy/main.go	0.00% <ø> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[dhanusaputra]

hi @thomaspoignant just drafted this PR for initial feedback
please help take a look when have time thank you

please also check the controller part cmd/relayproxy/controller/api_key.go
it's still WIP, have put some comments regarding the API contract flow

one more thing, currently we can put user in request body of some endpoints to know who is the requester
maybe we can use the user data when we create API key?

[thomaspoignant]

Hey thanks for this PR.

I am not sure to understand how you proposal will work.
How can I add an API key? By calling the API and it will be stored in memory?
How will it work when the relay-proxy will restart, will we lose the API keys configured?

How I was thinking of doing this, was to have a list of API keys in the relay proxy configuration file and I would have challenged the authorization headers with everything that is part of this list.

[dhanusaputra]

How can I add an API key?

using the apiKeyCreate endpoint

By calling the API and it will be stored in memory?

yes

How will it work when the relay-proxy will restart, will we lose the API keys configured?

yes everything will be lost

How I was thinking of doing this, was to have a list of API keys in the relay proxy configuration file and I would have challenged the authorization headers with everything that is part of this list.

got it, let me rework the PR, I'm more aligned this way too, thank you for your feedback!

[dhanusaputra]

invalid url

[thomaspoignant]

Good catch 👍

[thomaspoignant]

This approach is way closer to what I had in mind thank you 🙏
I've added a few review point because I am not sure to get all the points here.

[thomaspoignant]

I am not sure to understand why you have a map[string]bool, is it to have a set here?
If so we may need to consider having a map[string]interface{} instead since it is a bit better in term of memory and size.

See https://itnext.io/set-in-go-map-bool-and-map-struct-performance-comparison-5315b4b107b

[dhanusaputra]

thanks for the article, TIL
let me change it into slice since it's more easy to understand in config

[thomaspoignant]

I am not sure to understand the boolean here.
Would it be better to have only a list, something like

apiKeys:
  - apikey1 # with a comment explaining who is the owner of the key
  - apikey2

I think it will make the configuration representation way easier to understand.
You can still put it in a set in the config struct, but in terms of configuration, it will be way more understandable for the users of the relay proxy.

[thomaspoignant]

You mention twice this, maybe we should remove one.

There will be no authorization when this config is not configured.

[dhanusaputra]

these 2 docs looks similar
https://github.com/thomaspoignant/go-feature-flag/blob/HEAD/cmd/relayproxy/docs/configuration.md
https://github.com/thomaspoignant/go-feature-flag/blob/main/website/docs/relay_proxy/configure_relay_proxy.md
maybe can just keep one

[thomaspoignant]

You are right.
I guess we could delete the one in cmd/relayproxy/docs since it is not really used and keep only the one that finish on the website.

[thomaspoignant]

This looks exactly to what I had in mind.
I will review it soon.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
0.0% Duplication

[thomaspoignant]

@dhanusaputra thanks a lot for this pull request this is a super great new addition to GO Feature Flag 🙏