Right now it's the responsibility for every RPC implementation to verify they have an authenticated session by calling SessionService#getCurrentSession, even if they don't need the resulting SessionState. As part of #5433, it was noted that we may want to centralize this logic into io.deephaven.server.session.SessionServiceGrpcImpl.SessionServiceInterceptor.
Currently, the following RPCs do not require a Session:
SessionService.NewSession (deprecated)ConsoleService.GetConsoleTypesConfigService.GetAuthenticationConstantsFlightService.HandshakeFlightService.ListFlightsFlightService.GetFlightInfoFlightService.GetSchemaConsoleService.GetHeapInfo
Of note, GetHeapInfo seems to have been an oversight in implementation / security, and should probably require an authenticated Session.
It's worthwhile to note that we may not want to indiscriminately apply this requirement to all RPCs, as non-DH / non-Flight RPCs might be mixed into the server. As such, care should be taken to make sure that DH is not too heavy handed in applying this. We might want to have an dagger opt-in that we can apply to all of our services by default. It might also be nice to think about any self-documenting annotations (either Java or gRPC/protobuf annotation) we might be able to leverage for these purposes.
Right now it's the responsibility for every RPC implementation to verify they have an authenticated session by calling
SessionService#getCurrentSession, even if they don't need the resultingSessionState. As part of #5433, it was noted that we may want to centralize this logic intoio.deephaven.server.session.SessionServiceGrpcImpl.SessionServiceInterceptor.Currently, the following RPCs do not require a Session:
SessionService.NewSession(deprecated)ConsoleService.GetConsoleTypesConfigService.GetAuthenticationConstantsFlightService.HandshakeFlightService.ListFlightsFlightService.GetFlightInfoFlightService.GetSchemaConsoleService.GetHeapInfoOf note,
GetHeapInfoseems to have been an oversight in implementation / security, and should probably require an authenticated Session.It's worthwhile to note that we may not want to indiscriminately apply this requirement to all RPCs, as non-DH / non-Flight RPCs might be mixed into the server. As such, care should be taken to make sure that DH is not too heavy handed in applying this. We might want to have an dagger opt-in that we can apply to all of our services by default. It might also be nice to think about any self-documenting annotations (either Java or gRPC/protobuf annotation) we might be able to leverage for these purposes.