feat(iroh-relay): allow to authenticate nodes via a HTTP POST request

[Frando]

Description

This adds a new access config option to the iroh-relay binary: If set to http, a POST request will be performed for each node that attempts to connect to the relay. The URL to request is set in the config, and a X-Iroh-NodeId header will be set to the hex-encoded node id to check access for. If and only if the response has a 200 status code, and a response text of true, the connecting node will be granted access. In all other cases, the node will be denied access.

Config example to use this:

access.http.url = "http://localhost:8000/api/relays/check-auth/frando"

Breaking Changes

Notes & open questions

Change checklist

• Self-review.
• Documentation updates following the style guide, if relevant.
• Tests if relevant.

[github-actions]

Documentation for this PR has been generated and is available at: https://n0-computer.github.io/iroh/pr/3246/docs/iroh/

Last updated: 2025-04-07T10:44:57Z

[dignifiedquire]

no strong preference, but instead of doing string interpolation we could just send it as a request header or in the body part of the POST request

[Frando]

Yeah, those would work as well. Also no strong preference on my side.

[flub]

This string interpolation might be a bit brittle? I kind of like the idea of some new headers for custom info. It also means you don't have to change the config if we in the future decide to add things like the IP address or whatever as you can just add more headers.

[Frando]

Changed it:

• no more URL string replacement
• The node id is passed in an X-Iroh-NodeId header

[github-actions]

Netsim report & logs for this PR have been generated and is available at: LOGS
This report will remain available for 3 days.

Last updated for commit: d404a84

[flub]

What's the motivation to need a true in the body?

[Frando]

I thought of this as a safeguard, so that the endpoint implementing this would have to be more explicit. Maybe it's not needed, no strong opinion here.

[flub]

I also don't have a strong opinion... I don't know if this will turn out to be really handy, really annoying, or just completely fine 😄

[flub]

What happens if the authentication server needs to authenticate the clients connecting to it?

[Frando]

What happens if the authentication server needs to authenticate the clients connecting to it?

The authentication server has the node id, and can do whatever it likes to authenticate it (i.e. check against an ACL or against a capability token which it previously received over another communication channel).

Or did I misunderstand your question?

[flub]

What happens if the authentication server needs to authenticate the clients connecting to it?

The authentication server has the node id, and can do whatever it likes to authenticate it (i.e. check against an ACL or against a capability token which it previously received over another communication channel).

Or did I misunderstand your question?

Yeah, sorry. Didn't ask that very well. What I was wondering is whether the authentication service wants to protect itself. You don't want it to become a NodeId oracle but only want it to be used by authorised relay servers, and right now you can only do that by deploying it on a private network. Or maybe you could put a secret in the URL, but that secret would then have to be in the relay server's config file.

So maybe in the future we'll have to add features like this, and how compatible would that be to the current configuration format is what I was wondering. But it's probably fine and we can deal with it when that happens.

[Frando]

What I was wondering is whether the authentication service wants to protect itself. You don't want it to become a NodeId oracle but only want it to be used by authorised relay servers, and right now you can only do that by deploying it on a private network. Or maybe you could put a secret in the URL, but that secret would then have to be in the relay server's config file.

Ah, now I'm understanding. This is a good point. A secret in the URL would work. What other methods would work well? Some ideas:

1. Allow to set an Authentication header via either a config value, or an environment variable IROH_RELAY_HTTP_AUTH_HEADER or similar
2. Allow to set arbitrary headers via the config file

I think a first safeguard would be to make the http config a map instead of a single value, so that more options can be added without breaking the config format. Let me add this.

[flub]

A secret in the URL would work. What other methods would work well? Some ideas:

1. Allow to set an `Authentication` header via either a config value, or an environment variable `IROH_RELAY_HTTP_AUTH_HEADER` or similar

2. Allow to set arbitrary headers via the config file

I think a first safeguard would be to make the http config a map instead of a single value, so that more options can be added without breaking the config format. Let me add this.

Making http a map is a great future-proofing response indeed. I wouldn't go any further than that for now.

(And 1. above sounds the most appealing to me in the future, but let's see)

[Frando]

I added support for bearer tokens too.

[flub]

I also don't have a strong opinion... I don't know if this will turn out to be really handy, really annoying, or just completely fine 😄

[flub]

I'm always nervous whether serde manages to de-serialise from the config file format correctly. I've seen cases where serde expressed things that could not be expressed in the target serialisation. Mind adding a de-serialisation test for this from toml? (We don't need serialise support on these anymore, they're historic.)

There are a few similar tests already, so should be easy enough to copy.