Google Domains - RPC Security, User Authorization

I wrote an RPC security layer for Google Domains that checks user authorization, validates request, and introduced type-safe API credential requirements to reduce programmer error.

Features

• Credentials carried in code by immutable objects allowing explicit privilege escalation and deescalation. Previous solution used mutable global variable
• Credential objects had type hierarchy allowing differentiation on user-scoped, admin, and anonymous credentials. These improved readability of code and allowed enforcing credentials at the type-level for APIs.
• Unified request authorization and validity checking to ensure basic security checks in all servers, instead of previous server-specific checks and assumptions.
• Automated support user and engineer admin access audit logging.

Accomplishments

• Rolled out safely to 8 servers and 15 internal APIs.
• Brought Domains in line with Google-wide data security standards.
• Gave tech talk to educate team about data security standards and the new layer I wrote.
• Team expert for user security and credentials - consulting for Domains engineers and debugging many security issues over the years.