-
Kong currently enforces JWTs in higher environments
-
In lower environments we rely on the ability to send requests without JWTs for integration testing.
- This applies to
latestandrelease2. - It would be a non-trivial amount of work to overhaul this system (but not out of the question).
- This applies to
-
In all environments we rely on the ability to send requests between services without JWTS.
- Currently this only includes GET requests (i.e. not editing a referral).
- In future it may be required that LIMS systems will send requests to edit a referral via this method, but not for beta.
-
Based on the above we can:
- Assume requests without JWTs are normal users
- Disadvantages:
- Overhaul testing system to create/manage JWTs for all environments
- Advantages:
- Most obvious behaviour
- Disadvantages:
- Assume requests without JWTs are superusers
- Disadvantages:
- Direct requests without JWTs are treated as privileged users (but Kong will make this impossible in higher environments - E2E and above)
- Advantages:
- Allows integration tests to continue unaltered, whilst still allowing us to explicitly test authorisation logic by passing a JWT on specific tests.
- Disadvantages:
- Toggle between the above two behaviours using an environment variable
- Assume requests without JWTs are normal users
Created
May 14, 2019 15:18
-
-
Save jacksmith15/1aab8cf973f17bd29a45c790fe1940b7 to your computer and use it in GitHub Desktop.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment