I’m building a micro-service in django that needs to handle authentication via JWT. I’ve built a nats bridge in python that handles topics such as “get.model”, “access.model”, etc. The workflow is the following:
The browser authenticates a user directly via an edpoint outside of rest (e.g.: GET /auth). This endpoint sets an auth cookie in the HTTP response header.
The browser then accesses a resource via HTTP to Resgate (e.g.: GET /api/model) and sends the auth token inside the http headers.
Resgate then publishes a message to “auth.auth.jwtHeader” with a generated connection ID. The micro-service handling this message will simply attach the JWT token to the connection ID and reply back to Resgate.
Resgate then publishes a message to “access.model” with the connection ID and the token it got from the previous step (which is the same JWT token it got from the original GET /api/model request). The micro-service handling this message will now decode the JWT and check if the user has permissions to access that micro-service.
Resgate finally publishes a message to “get.model” to access the resource. This micro-service is kind of “dumb” and will simply forward the request to a django instance running in localhost.
The problem is in the last step because the micro-service handling “get.model” doesn’t have access to the http cookies from the original request nor to the connection ID set by Resgate. In contrast, when we issue a POST (which gets translated to a “call.model” message), Resgate actually sends the connection ID to the micro-service
So what I need to do works with POST/PUT/PATCH/DELETE requests (basically all “call.*” methods) but doesn’t work with GET requests because the connection id isn’t sent to the service.
How can I fix this?
Alternativelly, is there a way for resgate to send the headers from the original http request when publishing all messages to topics such as “access.model”, “get.model.", "call.model.”, etc?
Thanks and happy 2022!