Use Authorization + token instead of X-User-ID

Author: federicotdn

.dockerignore

@@ -1 +1,2 @@
 quickpizza.db
+Makefile

README.md

@@ -274,7 +274,7 @@ Example of header usage:
 ```
 curl -X POST http://localhost:3333/api/pizza \
      -H "Content-Type: application/json" \
-     -H "X-User-ID: 23423" \
+     -H "Authorization: abcdef0123456789" \
      -H "x-error-record-recommendation: internal-error" \
      -H "x-error-record-recommendation-percentage: 20" \
      -d '{}'

k6/browser/02.cookies.js

@@ -20,7 +20,7 @@ export default async function () {
   const pizzaContext = await browser.newContext();
   await pizzaContext.addCookies([
     {
-      name: "X-User-ID",
+      name: "FooBar",
       value: 123456,
       domain: BASE_URL,
       path: '/',
@@ -33,7 +33,7 @@ export default async function () {
 
   check(cookies, {
     "cookie length of QuickPizza page": cookies => cookies.length === 1,
-    "cookie name": cookies => cookies[0].name === "X-User-ID",
+    "cookie name": cookies => cookies[0].name === "FooBar",
     "cookie value": cookies => cookies[0].value === "123456"
   });
 
@@ -44,10 +44,10 @@ export default async function () {
   const anotherPage = await anotherContext.newPage();
   const anotherCookies = await anotherContext.cookies();
 
-  await anotherPage.goto('https://test.k6.io/');
+  await anotherPage.goto('https://example.org/');
 
   check(anotherCookies, {
-    "cookie length of k6 test page": anotherCookies => anotherCookies.length === 0,
+    "cookie length of example test page": anotherCookies => anotherCookies.length === 0,
   });
 
   await anotherPage.close();

k6/browser/07.hybrid.js

@@ -72,7 +72,7 @@ export function getPizza() {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 123456,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -123,4 +123,4 @@ export async function pizzaRecommendations() {
   } finally {
     page.close();
   }
-}
+}

k6/disruptor/01.basic.js

@@ -49,7 +49,7 @@ export default function () {
     let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
         headers: {
             "Content-Type": "application/json",
-            "X-User-ID": 23423,
+            "Authorization": "token abcdef0123456789",
         },
     });
     check(res, {"status is 200": (res) => res.status === 200});

k6/disruptor/02.error.js

@@ -49,7 +49,7 @@ export default function () {
     let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
         headers: {
             "Content-Type": "application/json",
-            "X-User-ID": 23423,
+            "Authorization": "token abcdef0123456789",
         },
     });
     check(res, {"status is 200": (res) => res.status === 200});

k6/extensions/01.basic-internal.js

@@ -21,7 +21,7 @@ export default function() {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -35,4 +35,4 @@ export default function() {
     return followRestrictions;
   }});
   sleep(1);
-}
+}

k6/foundations/01.basic.js

@@ -20,10 +20,10 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
   console.log(`${res.json().pizza.name} (${res.json().pizza.ingredients.length} ingredients)`);
   sleep(1);
-}
+}

k6/foundations/02.stages.js

@@ -23,10 +23,10 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
   console.log(`${res.json().pizza.name} (${res.json().pizza.ingredients.length} ingredients)`);
   sleep(1);
-}
+}

k6/foundations/03.lifecycle.js

@@ -30,7 +30,7 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -41,4 +41,4 @@ export default function () {
 export function teardown(){
   // TODO: Send notification to Slack
   console.log("That's all folks!")
-}
+}

k6/foundations/04.metrics.js

@@ -34,7 +34,7 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -47,4 +47,4 @@ export default function () {
 export function teardown(){
   // TODO: Send notification to Slack
   console.log("That's all folks!")
-}
+}

k6/foundations/05.thresholds.js

@@ -39,7 +39,7 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -52,4 +52,4 @@ export default function () {
 export function teardown(){
   // TODO: Send notification to Slack
   console.log("That's all folks!")
-}
+}

k6/foundations/06.checks-with-thresholds.js

@@ -40,7 +40,7 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -53,4 +53,4 @@ export default function () {
 export function teardown() {
   // TODO: Send notification to Slack
   console.log("That's all folks!")
-}
+}

k6/foundations/07.scenarios.js

@@ -54,7 +54,7 @@ export function getPizza() {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -74,4 +74,4 @@ export function handleSummary(data) {
     'summary.json': JSON.stringify(data, null, 2),
     stdout: textSummary(data, { indent: " ", enableColors: true }),
   }
-}
+}

k6/foundations/08.arrival-rate.js

@@ -51,7 +51,7 @@ export function getPizza() {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -84,4 +84,4 @@ export function handleSummary(data) {
     'summary.json': JSON.stringify(data, null, 2),
     stdout: textSummary(data, { indent: " ", enableColors: true }),
   }
-}
+}

k6/foundations/09.data.js

@@ -59,7 +59,7 @@ export function getPizza() {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': customers[Math.floor(Math.random() * customers.length)],
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -79,4 +79,4 @@ export function handleSummary(data) {
     'summary.json': JSON.stringify(data, null, 2),
     stdout: textSummary(data, { indent: " ", enableColors: true }),
   }
-}
+}

k6/foundations/10.summary.js

@@ -41,7 +41,7 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -61,4 +61,4 @@ export function handleSummary(data) {
     'summary.json': JSON.stringify(data, null, 2),
     stdout: textSummary(data, { indent: " ", enableColors: true }),
   }
-}
+}

k6/foundations/11.composability.js

@@ -73,7 +73,7 @@ export function getPizza() {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       "Content-Type": "application/json",
-      "X-User-ID": customers[Math.floor(Math.random() * customers.length)],
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });

k6/foundations/12.modularization.js

@@ -68,7 +68,7 @@ export function getPizza() {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': customers[Math.floor(Math.random() * customers.length)],
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });
@@ -92,4 +92,4 @@ export function handleSummary(data) {
     'summary.json': JSON.stringify(data, null, 2),
     stdout: textSummary(data, { indent: " ", enableColors: true }),
   }
-}
+}

k6/foundations/14.basic.tracing.js

@@ -25,7 +25,7 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       'Content-Type': 'application/json',
-      'X-User-ID': 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });

k6/foundations/15.basic.profiling.js

@@ -23,7 +23,7 @@ export default function () {
   let res = http.post(`${BASE_URL}/api/pizza`, JSON.stringify(restrictions), {
     headers: {
       "Content-Type": "application/json",
-      "X-User-ID": 23423,
+      'Authorization': 'token abcdef0123456789',
     },
   });
   check(res, { "status is 200": (res) => res.status === 200 });

pkg/http/client.go

@@ -96,9 +96,9 @@ func (hc httpClient) do(request *http.Request) (*http.Response, error) {
 	// Authenticate request with the super-secret internal token.
 	request.Header.Add("X-Is-Internal", "1")
 
-	// Propagate X-User-ID if present in request context.
-	if user, ok := request.Context().Value("user").(string); ok {
-		request.Header.Add("X-User-ID", user)
+	// Propagate Authorization if present in request context.
+	if auth, ok := request.Context().Value("authorization").(string); ok {
+		request.Header.Add("Authorization", auth)
 	}
 
 	return hc.client.Do(request)

pkg/http/http.go

@@ -38,6 +38,8 @@ import (
 	"github.com/grafana/quickpizza/pkg/web"
 )
 
+const tokenLength = 16
+
 // Variables storing prometheus metrics.
 var (
 	pizzaRecommendations = promauto.NewCounterVec(prometheus.CounterOpts{
@@ -117,7 +119,7 @@ func NewServer() (*Server, error) {
 	router.Use(cors.New(cors.Options{
 		AllowedOrigins:   []string{"*"},
 		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
-		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "X-User-ID"},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
 		ExposedHeaders:   []string{"Link"},
 		AllowCredentials: true,
 		MaxAge:           300, // Maximum value not ignored by any of major browsers
@@ -741,13 +743,19 @@ func SvelteKitHandler(path string) http.Handler {
 
 func ValidateUserMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		userID := r.Header.Get("X-User-ID")
-		if userID == "" {
+		auth := r.Header.Get("Authorization")
+		prefix, token, found := strings.Cut(auth, " ")
+		prefix = strings.ToLower(prefix)
+
+		// Here, we would actually check the token against the DB, or
+		// verify it using a private key (e.g. for JWT), but for this
+		// testing service we just check its length.
+		if !found || prefix != "token" || len(token) != tokenLength {
 			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}
 
-		ctx := context.WithValue(r.Context(), "user", userID)
+		ctx := context.WithValue(r.Context(), "authorization", auth)
 		next.ServeHTTP(w, r.WithContext(ctx))
 	})
 }

pkg/web/src/lib/stores.ts

@@ -1,3 +1,4 @@
 import { writable } from "svelte/store";
 
-export const userID = writable(0);
+export const userIDStore = writable(0);
+export const userTokenStore = writable('');