Skip to content

[TCL][FLAG-1469] Add JWT auth#5189

Open
willian-viana wants to merge 7 commits intodevelopfrom
feat/TCL-admin-full-JWT
Open

[TCL][FLAG-1469] Add JWT auth#5189
willian-viana wants to merge 7 commits intodevelopfrom
feat/TCL-admin-full-JWT

Conversation

@willian-viana
Copy link
Collaborator

@willian-viana willian-viana commented Mar 19, 2026
edited
Loading

Overview

To prevent unauthorized access to the new data by other users, we're implementing a new auth, that restricts access to the admin account

@willian-viana willian-viana requested a review from gtempus March 19, 2026 14:05
@willian-viana willian-viana self-assigned this Mar 19, 2026
@willian-viana willian-viana mentioned this pull request Mar 19, 2026
Closed
@willian-viana willian-viana temporarily deployed to gfw-staging-pr-5189 March 19, 2026 14:08 Inactive
@willian-viana willian-viana force-pushed the feat/TCL-admin-full-JWT branch from 28e86cd to 7e67c31 Compare March 19, 2026 14:37
@willian-viana willian-viana temporarily deployed to gfw-staging-pr-5189 March 19, 2026 14:38 Inactive
@willian-viana willian-viana force-pushed the feat/TCL-admin-full-JWT branch from 7e67c31 to 6f1ede9 Compare March 19, 2026 14:41
@willian-viana willian-viana temporarily deployed to gfw-staging-pr-5189 March 19, 2026 14:42 Inactive
@willian-viana willian-viana marked this pull request as ready for review March 19, 2026 14:42
@willian-viana willian-viana changed the title [TCL] Add full JWT auth [TCL][FLAG-1469] Add full JWT auth Mar 19, 2026
@willian-viana willian-viana changed the title [TCL][FLAG-1469] Add full JWT auth [TCL][FLAG-1469] Add JWT auth Mar 19, 2026
gtempus
gtempus requested changes Mar 19, 2026
View reviewed changes
@willian-viana
feat(tcl): add jwt auth
6567ef0 
To prevent unauthorized access to the new data by other users, we're implementing a new auth, that restricts access to the admin account
@willian-viana
feat(tcl): add jwt auth
1bb39dd 
To prevent unauthorized access to the new data by other users, we're implementing a new auth, that restricts access to the admin account
@willian-viana
feat(jwt): remove jwt from the client and remove admin role validation
0825119
@willian-viana willian-viana force-pushed the feat/TCL-admin-full-JWT branch from 6f1ede9 to 0825119 Compare March 24, 2026 18:00
@willian-viana willian-viana temporarily deployed to gfw-staging-pr-5189 March 24, 2026 18:01 Inactive
@willian-viana willian-viana requested a review from gtempus March 24, 2026 18:07
@willian-viana willian-viana temporarily deployed to gfw-staging-pr-5189 March 24, 2026 18:07 Inactive
@willian-viana willian-viana temporarily deployed to gfw-staging-pr-5189 March 24, 2026 18:11 Inactive
gtempus
gtempus requested changes Mar 24, 2026
View reviewed changes
Copy link
Contributor

@gtempus gtempus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah! This is what I was orginally thinking, @willian-viana! 💯

Do we need to modify utils/request.js since the Authorization header is already being added in pages/api/data/[...params].js?

The main reason I'm asking is that it means that the client will send a token to the server-side, and could be captured and used by someone else to access the data? 🤷

@willian-viana
Copy link
Collaborator Author

willian-viana commented Mar 24, 2026

Yeah! This is what I was orginally thinking, @willian-viana! 💯

Do we need to modify utils/request.js since the Authorization header is already being added in pages/api/data/[...params].js?

The main reason I'm asking is that it means that the client will send a token to the server-side, and could be captured and used by someone else to access the data? 🤷

pages/api/data/[...params].js is a proxy for client requests. When the request is internal (server-side) it pass directly to the Data API.

//if isServer is true, then pass the Authorization alongisde the x-api-key
...(isServer && {
    baseURL: DATA_API_URL,
    headers: {
      'x-api-key': DATA_API_KEY,
      ...(GFW_DATA_API_TOKEN && {
        Authorization: `Bearer ${GFW_DATA_API_TOKEN}`,
      }),
    },
  }),

  // If not, call the proxy (pages/api/data/[...params].js)
  ...(!isServer && {
    baseURL: PROXIES.DATA_API,
  }),

@willian-viana willian-viana requested a review from gtempus March 24, 2026 20:05
@willian-viana willian-viana temporarily deployed to gfw-staging-pr-5189 March 24, 2026 20:14 Inactive
gtempus
gtempus approved these changes Mar 24, 2026
View reviewed changes
Copy link
Contributor

@gtempus gtempus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, @willian-viana! Let's give this a shot. :shipit:

@willian-viana willian-viana temporarily deployed to gfw-staging-pr-5189 March 25, 2026 17:57 Inactive
@willian-viana willian-viana force-pushed the feat/TCL-admin-full-JWT branch from 86858d3 to 0777407 Compare March 25, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gtempus gtempus gtempus approved these changes

Assignees

@willian-viana willian-viana

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@willian-viana @gtempus