Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Full description of the problem is here: #537
Proposed Solution:
I added a new method,
RegisterPublicRpc
(andregister_public_rpc
for Lua). This method allows you to register RPCs that do not require authentication.An end-to-end test is included in
runtime_test.go
, namedTestRuntimeRegisterPublicRPCWithPayloadEndToEnd
. This successfully calls a public RPC without any HTTP key.Most of the work is in
api_rpc.go
, and there are a few specific details to note:Previously, metrics were being gathered for RPC calls without an RPC id or with a bad RPC id. This check was moved forward to simplify some logic and so metrics are no longer gathered in those circumstances.
The simplest method of bypassing auth was simply to branch. This means that the userId and username will be empty for public RPC handlers, regardless of whether or not they are authenticated. There are a couple other cases in which the handler would have been called with uid and username, but I specifically stripped that data out to guarantee that those values will always be empty. This seems like desired behavior, but obviously up to you.