pupperino
pupperino6mo ago

Google Auth Tokens Exposed?

I am working on a project that exposes some API endpoints but would like to secure it on the server-side. Does Windmill Cloud App expose a way to fetch OAuth tokens/create SSO that I could pass to the API endpoint for user verification?
11 Replies
rubenf
rubenf6mo ago
Users would be expected to go through the OAuth flow from within windmill which will store them as resources and rotate them using the refresh token but that sounds very different from what you need.
pupperino
pupperinoOP6mo ago
Yeah slightly different use-case. After OAuth flow on Windmill, is there a way to send over any form of auth token (maybe generated from Google via Windmill scripts) to the API, which will verify the user using something like google-auth-library
rubenf
rubenf6mo ago
at the moment no you can however watch all resources and trigger upon new oauth resources you could even watch the db with triggers it does require quite a bit of work
pupperino
pupperinoOP6mo ago
Yeah hoping to have some lightweight way to verify that whoever is pinging the server is indeed who they claim to be Seems like it would be a good enhancement, especially if users are trying to integrate sensitive DB data with internal admin UI tooling offered by WM
rubenf
rubenf6mo ago
I think I don't even understand the use-case
pupperino
pupperinoOP6mo ago
Suppose a dev would like to use WM App as an internal admin tool that allows for basic CRUD operations on something like User preferences. If the server/DB is externally hosted and the dev would just like to use WM as a UI App to make calls to the API endpoints exposed by the server, but don't want to allow just anybody to make the API call publicly I saw in an earlier message that there are a couple of IP addresses associated w/ the Cloud but I assume those are IP addresses for everybody, so if a malicious actor got a hold of the API endpoint, created a WM script, they could hit the endpoint still
rubenf
rubenf6mo ago
Why not use a shared secret ? you can even sign each payload in the header
pupperino
pupperinoOP6mo ago
Yeah that seems like a good approach. How are secrets encrypted/stored in WM? Thinking maybe then IP restrict incoming requests and have some shared secret (sounds like overkill but would do the job)
rubenf
rubenf6mo ago
There is a bit more to read in the docs I think @Ask Inkeep is pretty good too
Ask Inkeep
Ask Inkeep6mo ago
Please tag me in threads that I was a part of from the start.
pupperino
pupperinoOP6mo ago
Great. Thank you for your help bouncing off ideas i dont know why i didnt think of a shared secret