Feature/files api

[dbampalikis]

The PR creates an endpoint in the API service for retrieving information about the files a user has submitted. The user is authenticated using the JWToken and currently the way to parse the token is only done through a public key file.

• Lacks integration tests

[jbygdell]

Maybe not perfectly correct but you get the gists

[codecov-commenter]

Codecov Report

Merging #540 (58e99fb) into master (1bcd776) will decrease coverage by 0.38%.
The diff coverage is 34.88%.

❗ Current head 58e99fb differs from pull request most recent head 7325bae. Consider uploading reports for the commit 7325bae to get more accurate results

📣 This organization is not using Codecov’s GitHub App Integration. We recommend you install it so Codecov can continue to function properly for your repositories. Learn more

@@            Coverage Diff             @@
##           master     #540      +/-   ##
==========================================
- Coverage   39.38%   39.00%   -0.38%     
==========================================
  Files          13       13              
  Lines        3161     3325     +164     
==========================================
+ Hits         1245     1297      +52     
- Misses       1874     1981     +107     
- Partials       42       47       +5     

Flag	Coverage Δ
unittests	39.00% <34.88%> (-0.38%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
internal/database/db.go	69.72% <0.00%> (-10.47%)	⬇️
internal/config/config.go	77.98% <4.54%> (-3.91%)	⬇️
cmd/api/api.go	56.02% <57.28%> (-2.32%)	⬇️

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[pontus]

Unused?

[pontus]

Looks OK, I notice one can have at most one key per issuer, meaning key rotation is not possible, but guess we won't have actual problems with that for now.

[pontus]

I'm not sure exactly what use case this is meant to address, but I believe it would be nice to make it easier for sda-cli to support resuming uploads, in which case it would be nice to offer submission_file_size to the user as well if there is a checksum of type UPLOADED.

Or would that be out of scope?

[blankdots]

if i understand correctly the only way to match users to files is if we issue the token ... not sure how that will work from a services standpoint, for this reason I would prefer if having a local key for generating the token is not the default but an option as we can have a list of controlled issuers that we allow to generate the tokens and we can check the users against that.

[blankdots]

not sure i follow why we need MQ checks here,the API does not do anything with the broker.

[blankdots]

i think the token check should be split, so that it is easier to integrate with sda download: see: https://github.com/neicnordic/sda-download/blob/main/pkg/auth/auth.go#L54-L90

Also it would be good to have a list of trusted issuers: https://github.com/neicnordic/sda-download/blob/main/pkg/auth/auth.go#L327-L344

[blankdots]

i think we can have /jwk endpoint and serve our key there so it creates less hassle when changing the function for checking jwt signature.

[dbampalikis]

Yes, that makes sense actually. I might need to leave this function as a second option though, at least until we create an endpoint for serving the key

[pontus]

It's not in https://www.iana.org/assignments/well-known-uris/well-known-uris.xhtml, but .well-known/jwks.json would be a good path for that, see e.g. https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-key-sets.