fix(blob): remove auth for using upload and download url (#269)

Because we try to allow use to directly use url This commit removes the authorization while uploading and downloading
instill-ai · Nov 25, 2024 · e262b10 · e262b10
1 parent 01453a4
commit e262b10
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 55 deletions.
diff --git a/config/base.json b/config/base.json
@@ -34,7 +34,7 @@
     {{ template "influxdb_metrics.tmpl" . }},
     {{ template "cors.tmpl" . }},
     "plugin/http-server": {
-      "name": ["blob","sse-streaming", "multi-auth", "grpc-proxy-server", "registry"],
+      "name": ["sse-streaming", "multi-auth", "grpc-proxy-server", "registry","blob"],
       "multi-auth":{
         "grpc_server": "{{ .plugins.mgmt_public_hostport }}"
       },

diff --git a/plugins/blob/handler.go b/plugins/blob/handler.go
@@ -81,17 +81,6 @@ func (rh *blobHandler) handler(ctx context.Context) http.HandlerFunc {
 	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
 		Info(req.Method+" "+req.URL.Path, " start relaying request to blob backend")
 
-		userUID := req.Header.Get("Instill-User-Uid")
-
-		// check if the userUID is a valid uuid
-		if _, err := uuid.FromString(userUID); err != nil {
-			Error(req.URL.Path, " authorization failed. ", err)
-			rh.handleError(req, w, err)
-			return
-		}
-
-		// TODO: check if user uuid is member of the namespace or user self
-
 		// NOTE: the object url uid is the last part of the request path
 		parts := strings.Split(req.URL.Path, "/")
 		objectURLUID := parts[len(parts)-1]

diff --git a/plugins/multi-auth/main.go b/plugins/multi-auth/main.go
@@ -152,49 +152,6 @@ func (r registerer) registerHandlers(ctx context.Context, extra map[string]inter
 			req.Header.Set("Accept", "text/event-stream")
 			h.ServeHTTP(w, req)
 
-		} else if strings.Contains(req.URL.Path, "/v1alpha/namespaces/") && strings.Contains(req.URL.Path, "/blob-urls/") {
-			// To make authentication work in blob plugin, we send a request to the management API
-			// first for verification.
-			r, err := http.NewRequest("GET", "http://localhost:8080/v1beta/user", nil)
-			if err != nil {
-				http.Error(w, err.Error(), http.StatusInternalServerError)
-				return
-			}
-			r.Header = req.Header
-			r.Header["Accept"][0] = "*/*"
-
-			resp, err := httpClient.Do(r)
-			if err != nil {
-				http.Error(w, err.Error(), http.StatusInternalServerError)
-				return
-			}
-			if resp.StatusCode == 401 {
-				writeStatusUnauthorized(req, w)
-				return
-			}
-			type user struct {
-				User struct {
-					UID string `json:"uid"`
-				} `json:"user"`
-			}
-			respBytes, err := io.ReadAll(resp.Body)
-			if err != nil {
-				writeStatusUnauthorized(req, w)
-				return
-			}
-			defer resp.Body.Close()
-
-			u := user{}
-			err = json.Unmarshal(respBytes, &u)
-			if err != nil {
-				writeStatusUnauthorized(req, w)
-				return
-			}
-
-			req.Header.Set("Instill-Auth-Type", "user")
-			req.Header.Set("Instill-User-Uid", u.User.UID)
-			h.ServeHTTP(w, req)
-
 		} else {
 			req.Header.Set("Instill-Auth-Type", "user")
 			req.URL.Path = "/internal" + req.URL.Path