Openwhisk: actions with require-whisk-auth annotation as boolean false are rejected by controller

Created on 25 Sep 2020  路  4Comments  路  Source: apache/openwhisk

The annotation value require-whisk-auth: false on a web action leads the controller to reject the web action invocation.

  1. The openwhisk documentation does not say what should happen when the value is false. I don't know why this case is omitted case https://github.com/apache/openwhisk/blob/master/docs/webactions.md#securing-web-actions
  2. The implementation treats this case as "not allowed, something is not right" see line 790 in this snippet
    https://github.com/apache/openwhisk/blob/d9e908cce62c2d6e9f34e0295c53736be496c195/core/controller/src/main/scala/org/apache/openwhisk/core/controller/WebActions.scala#L777-L790

The controller should handle the case of the annotation being set to boolean false as not requiring authentication rather than reject the call.

bug controller good first issue help wanted

All 4 comments

So this is the case where require-whisk-auth annotation is specified but the value is false.
I think it has not been noticed because if the annotation does not exist, it passes the authentication.
So anyone who does not require any authentication, they just skip configuring the annotation rather than set it explicitly.

But it looks clearly a bug.

@rabbah @style95 I think this task just requires one more case to be added

case JsFalse | JsBoolean(false) => true

If so, Can I please pick this issue?

@nitikagarw looks right - also will need a test.
Thank you for the contribution.

Thanks @nitikagarw for the contribution!

Was this page helpful?
0 / 5 - 0 ratings