Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ADR 019 password rotation #523

Merged
merged 6 commits into from
Aug 30, 2023

Conversation

StephenCathcart
Copy link
Contributor

@StephenCathcart StephenCathcart commented Aug 22, 2023

This PR updates the preview feature "re-auth" significantly. The changes allow for catering to a wider range of use cases including simple password rotation.

ExpirationBasedTokenManager was renamed to BearerTokenManager for handling potentially expiring auth information:

func ExampleBearerTokenManager() {
	fetchAuthTokenFromMyProvider := func(ctx context.Context) (neo4j.AuthToken, *time.Time, error) {
		// some way of getting a token
		token, err := getSsoToken(ctx)
		if err != nil {
			return neo4j.AuthToken{}, nil, err
		}
		// assume we know our tokens expire every 60 seconds
		expiresIn := time.Now().Add(60 * time.Second)
		// Include a little buffer so that we fetch a new token *before* the old one expires
		expiresIn = expiresIn.Add(-10 * time.Second)
		// or return nil instead of `&expiresIn` if we don't expect it to expire
		return token, &expiresIn, nil
	}
	// create a new driver with a bearer token manager which uses provider to handle possibly expiring auth tokens.
	_, _ = neo4j.NewDriverWithContext(getUrl(), auth.BearerTokenManager(fetchAuthTokenFromMyProvider))
}

A BasicTokenManager token manager was added to handle password rotation:

func ExampleBasicTokenManager() {
	fetchBasicAuthToken := func(ctx context.Context) (neo4j.AuthToken, error) {
		// some way of getting basic authentication information
		username, password, realm, err := getBasicAuth()
		if err != nil {
			return neo4j.AuthToken{}, err
		}
		// create and return a basic authentication token with provided username, password and realm
		return neo4j.BasicAuth(username, password, realm), nil
	}
	// create a new driver with a basic token manager which uses provider to handle basic auth password rotation.
	_, _ = neo4j.NewDriverWithContext(getUrl(), auth.BasicTokenManager(fetchBasicAuthToken))
}

@StephenCathcart
Copy link
Contributor Author

neo4j/auth/auth.go Outdated Show resolved Hide resolved
neo4j/auth/auth.go Outdated Show resolved Hide resolved
neo4j/auth/auth.go Outdated Show resolved Hide resolved
neo4j/auth/auth.go Outdated Show resolved Hide resolved
neo4j/auth/auth.go Show resolved Hide resolved
neo4j/internal/collections/set.go Outdated Show resolved Hide resolved
neo4j/internal/collections/set_test.go Outdated Show resolved Hide resolved
neo4j/auth/auth_examples_test.go Outdated Show resolved Hide resolved
neo4j/internal/pool/pool.go Outdated Show resolved Hide resolved
testkit-backend/backend.go Outdated Show resolved Hide resolved
@StephenCathcart StephenCathcart marked this pull request as ready for review August 29, 2023 20:03
@StephenCathcart StephenCathcart merged commit a8a15a5 into neo4j:5.0 Aug 30, 2023
@StephenCathcart StephenCathcart deleted the feature/password-rotation branch August 30, 2023 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants