[server] add Unauthenticated decorator for public-api

AlexTugarev · AlexTugarev · commit f8f6da6dab84 · 2023-11-07T09:10:38.000Z
diff --git a/components/server/src/api/server.ts b/components/server/src/api/server.ts
@@ -41,6 +41,7 @@ import { APITeamsService as TeamsServiceAPI } from "./teams";
 import { APIUserService as UserServiceAPI } from "./user";
 import { WorkspaceServiceAPI } from "./workspace-service-api";
 import { AuthProviderServiceAPI } from "./auth-provider-service-api";
+import { Unauthenticated } from "./unauthenticated";
 
 decorate(injectable(), PublicAPIConverter);
 
@@ -213,10 +214,14 @@ export class API {
                     };
 
                     const apply = async <T>(): Promise<T> => {
-                        const subjectId = await self.verify(context);
-                        await rateLimit(subjectId);
-                        context.user = await self.ensureFgaMigration(subjectId);
-
+                        const unauthenticated = Unauthenticated.get(target, prop);
+                        if (unauthenticated) {
+                            // TODO(at) add a low rate limit
+                        } else {
+                            const subjectId = await self.verify(context);
+                            await rateLimit(subjectId);
+                            context.user = await self.ensureFgaMigration(subjectId);
+                        }
                         return Reflect.apply(target[prop as any], target, args);
                     };
                     if (grpc_type === "unary" || grpc_type === "client_stream") {
diff --git a/components/server/src/api/unauthenticated.spec.ts b/components/server/src/api/unauthenticated.spec.ts
@@ -0,0 +1,28 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+import * as chai from "chai";
+import { Unauthenticated } from "./unauthenticated";
+
+const expect = chai.expect;
+
+class Foo {
+    @Unauthenticated()
+    async fooUnauthenticated() {}
+
+    async foo() {}
+}
+
+describe("Unauthenticated decorator", function () {
+    const foo = new Foo();
+
+    it("function is decorated", function () {
+        expect(Unauthenticated.get(foo, "fooUnauthenticated")).to.be.true;
+    });
+    it("function is not decorated", function () {
+        expect(Unauthenticated.get(foo, "foo")).to.be.false;
+    });
+});
diff --git a/components/server/src/api/unauthenticated.ts b/components/server/src/api/unauthenticated.ts
@@ -0,0 +1,17 @@
+/**
+ * Copyright (c) 2023 Gitpod GmbH. All rights reserved.
+ * Licensed under the GNU Affero General Public License (AGPL).
+ * See License.AGPL.txt in the project root for license information.
+ */
+
+const UNAUTHENTICATED_METADATA_KEY = Symbol("Unauthenticated");
+
+export function Unauthenticated() {
+    return Reflect.metadata(UNAUTHENTICATED_METADATA_KEY, true);
+}
+
+export namespace Unauthenticated {
+    export function get(target: Object, properyKey: string | symbol): boolean {
+        return !!Reflect.getMetadata(UNAUTHENTICATED_METADATA_KEY, target, properyKey);
+    }
+}
