[dashboard, ws-proxy, supervisor] Break potential DDOS cycle by disabling autostart

When triggered:
 a) inFrame or
 b) when redirect from IDE url (either by supervisor or ws-proxy)

Author: geropl

components/dashboard/src/App.tsx

@@ -25,6 +25,7 @@ import { Experiment } from './experiments';
 import { workspacesPathMain } from './workspaces/workspaces.routes';
 import { settingsPathAccount, settingsPathIntegrations, settingsPathMain, settingsPathNotifications, settingsPathPlans, settingsPathPreferences, settingsPathTeams, settingsPathTeamsJoin, settingsPathTeamsNew, settingsPathVariables } from './settings/settings.routes';
 import { projectsPathInstallGitHubApp, projectsPathMain, projectsPathMainWithParams, projectsPathNew } from './projects/projects.routes';
+import { StartWorkspaceParameters } from './start/StartWorkspace';
 
 const Setup = React.lazy(() => import(/* webpackPrefetch: true */ './Setup'));
 const Workspaces = React.lazy(() => import(/* webpackPrefetch: true */ './workspaces/Workspaces'));
@@ -401,7 +402,8 @@ function App() {
     } else if (isCreation) {
         toRender = <CreateWorkspace contextUrl={hash} />;
     } else if (isWsStart) {
-        toRender = <StartWorkspace workspaceId={hash} />;
+        const params = StartWorkspaceParameters.parse(window.location.search);
+        toRender = <StartWorkspace workspaceId={hash} parameters={params} />;
     } else if (/^(github|gitlab)\.com\/.+?/i.test(window.location.pathname)) {
         let url = new URL(window.location.href)
         url.hash = url.pathname

components/dashboard/src/start/StartWorkspace.tsx

@@ -21,10 +21,54 @@ const sessionId = v4();
 const WorkspaceLogs = React.lazy(() => import('../components/WorkspaceLogs'));
 
 export interface StartWorkspaceProps {
-  workspaceId: string;
+  workspaceId: string,
+  parameters?: StartWorkspaceParameters,
+}
+
+export interface StartWorkspaceParameters {
+  trigger?: StartWorkspaceTrigger,
+}
+
+const StartWorkspaceTriggers = {
+  /**
+   * A workspace cluster's ws-proxy redirected the client to "/start/#<wsId>" because it could not find that workspace
+   */
+  "redirect_from_ws_cluster": undefined,
+
+  /**
+   * Supervisor redirect the client to "/start/#<wsId>" because it could
+   */
+  "redirect_from_supervisor": undefined,
+};
+export type StartWorkspaceTrigger = keyof (typeof StartWorkspaceTriggers);
+
+export namespace StartWorkspaceParameters {
+  export function parse(search: string): StartWorkspaceParameters | undefined {
+    try {
+      const result: StartWorkspaceParameters = {};
+      const params = new URLSearchParams(search);
+      for (const [k, v] of params.entries()) {
+        switch (k) {
+          case "trigger":
+            if (v in StartWorkspaceTriggers) {
+              result.trigger = v as StartWorkspaceTrigger;
+            }
+            break;
+        }
+      }
+      return result;
+    } catch (err) {
+      console.error("/start: error parsing search params", err);
+      return undefined;
+    }
+  }
 }
 
 export interface StartWorkspaceState {
+  /**
+   * This is set to the istanceId we started (think we started on).
+   * We only receive updates for this particular instance, or none if not set.
+  */
   startedInstanceId?: string;
   workspaceInstance?: WorkspaceInstance;
   workspace?: Workspace;
@@ -34,8 +78,13 @@ export interface StartWorkspaceState {
     link: string
     label: string
     clientID?: string
-  }
-  ideOptions?: IDEOptions
+  };
+  ideOptions?: IDEOptions;
+  showRestartModal?: boolean;
+  /**
+   * This flag is used to break the autostart-cycle explained in https://github.com/gitpod-io/gitpod/issues/8043
+   */
+  dontAutostart?: boolean;
 }
 
 export default class StartWorkspace extends React.Component<StartWorkspaceProps, StartWorkspaceState> {
@@ -75,8 +124,34 @@ export default class StartWorkspace extends React.Component<StartWorkspaceProps,
       this.setState({ error });
     }
 
+    // we're coming back from a workspace cluster/IDE URL where we expected a workspace to be running but it wasn't because either:
+    //  - this is a (very) old tab and the workspace already timed out
+    //  - due to a start error our workspace terminated very quickly between:
+    //    a) us being redirected to that IDEUrl (based on the first ws-manager update) and
+    //    b) our requests being validated by ws-proxy
+    // we break this potentially DDOS cycle by showing a modal "Restart workspace?" instead of auto-restarting said workspace.
+    const params = this.props.parameters;
+    if (params?.trigger === "redirect_from_ws_cluster"
+      || params?.trigger === "redirect_from_supervisor") {
+      this.setState({ dontAutostart: true });
+      this.fetchWorkspaceInfo(undefined);
+      return;
+    }
+
+    // IDE case:
+    //  - we assume the workspace has already been started for us
+    //  - we don't know it's instanceId
+    // we could also rely on "startWorkspace" to return us the "running" instance, but that opens the door for
+    // self-DDOSing as we found in the past (cmp. https://github.com/gitpod-io/gitpod/issues/8043)
+    if (this.runsInIFrame()) {
+      // fetch current state display (incl. potential errors)
+      this.setState({ dontAutostart: true });
+      this.fetchWorkspaceInfo(undefined);
+      return;
+    }
+
+    // dashboard case (no previous errors): start workspace as quickly as possible
     this.startWorkspace();
-    getGitpodService().server.getIDEOptions().then(ideOptions => this.setState({ ideOptions }))
   }
 
   componentWillUnmount() {
@@ -134,10 +209,12 @@ export default class StartWorkspace extends React.Component<StartWorkspaceProps,
         this.redirectTo(result.workspaceURL);
         return;
       }
-      this.setState({ startedInstanceId: result.instanceID });
-      // Explicitly query state to guarantee we get at least one update
+      // Start listening too instance updates - and explicitly query state once to guarantee we get at least one update
       // (needed for already started workspaces, and not hanging in 'Starting ...' for too long)
-      this.fetchWorkspaceInfo();
+      this.fetchWorkspaceInfo(result.instanceID);
+
+      // query IDE options so we can show them if necessary once the workspace is running
+      getGitpodService().server.getIDEOptions().then(ideOptions => this.setState({ ideOptions }));
     } catch (error) {
       console.error(error);
       if (typeof error === 'string') {
@@ -180,15 +257,28 @@ export default class StartWorkspace extends React.Component<StartWorkspaceProps,
     }
   }
 
-  async fetchWorkspaceInfo() {
+  /**
+   * Fetches initial WorkspaceInfo from the server. If there is a WorkspaceInstance for workspaceId, we feed it
+   * into "onInstanceUpdate" and start accepting further updates.
+   *
+   * @param startedInstanceId The instanceId we want to listen on
+   */
+  async fetchWorkspaceInfo(startedInstanceId: string | undefined) {
+    // this ensures we're receiving updates for this instance
+    if (startedInstanceId) {
+      this.setState({ startedInstanceId });
+    }
+
     const { workspaceId } = this.props;
     try {
       const info = await getGitpodService().server.getWorkspace(workspaceId);
       if (info.latestInstance) {
-        this.setState({
-          workspace: info.workspace
-        });
-        this.onInstanceUpdate(info.latestInstance);
+        const instance = info.latestInstance;
+        this.setState((s) => ({
+          workspace: info.workspace,
+          startedInstanceId: s.startedInstanceId || instance.id,  // note: here's a potential mismatch between startedInstanceId and instance.id. TODO(gpl) How to handle this?
+        }));
+        this.onInstanceUpdate(instance);
       }
     } catch (error) {
       console.error(error);
@@ -197,7 +287,7 @@ export default class StartWorkspace extends React.Component<StartWorkspaceProps,
   }
 
   notifyDidOpenConnection() {
-    this.fetchWorkspaceInfo();
+    this.fetchWorkspaceInfo(undefined);
   }
 
   async onInstanceUpdate(workspaceInstance: WorkspaceInstance) {
@@ -210,7 +300,8 @@ export default class StartWorkspace extends React.Component<StartWorkspaceProps,
 
     // Redirect to workspaceURL if we are not yet running in an iframe.
     // It happens this late if we were waiting for a docker build.
-    if (!this.runsInIFrame() && workspaceInstance.ideUrl) {
+    const dontRedirect = this.state?.dontAutostart;
+    if (!this.runsInIFrame() && workspaceInstance.ideUrl && !dontRedirect) {
       this.redirectTo(workspaceInstance.ideUrl);
       return;
     }

components/supervisor/frontend/src/index.ts

@@ -153,7 +153,7 @@ const toStop = new DisposableCollection();
                 // reload the page if the workspace was restarted to ensure:
                 // - graceful reconnection of IDEs
                 // - new owner token is set
-                window.location.href = startUrl.toString();
+                window.location.href = startUrl.with({ search: "trigger=redirect_from_supervisor" }).toString();
             }
         }
         return loading.frame;

components/ws-proxy/pkg/proxy/routes.go

@@ -550,7 +550,7 @@ func workspaceMustExistHandler(config *Config, infoProvider WorkspaceInfoProvide
 			info := infoProvider.WorkspaceInfo(coords.ID)
 			if info == nil {
 				log.WithFields(log.OWI("", coords.ID, "")).Info("no workspace info found - redirecting to start")
-				redirectURL := fmt.Sprintf("%s://%s/start/#%s", config.GitpodInstallation.Scheme, config.GitpodInstallation.HostName, coords.ID)
+				redirectURL := fmt.Sprintf("%s://%s/start/?trigger=redirect_from_ws_cluster#%s", config.GitpodInstallation.Scheme, config.GitpodInstallation.HostName, coords.ID)
 				http.Redirect(resp, req, redirectURL, http.StatusFound)
 				return
 			}

components/ws-proxy/pkg/proxy/routes_test.go

@@ -414,10 +414,10 @@ func TestRoutes(t *testing.T) {
 				Status: http.StatusFound,
 				Header: http.Header{
 					"Content-Type": {"text/html; charset=utf-8"},
-					"Location":     {"https://test-domain.com/start/#blabla-smelt-9ba20cc1"},
+					"Location":     {"https://test-domain.com/start/?trigger=redirect_from_ws_cluster#blabla-smelt-9ba20cc1"},
 					"Vary":         {"Accept-Encoding"},
 				},
-				Body: ("<a href=\"https://test-domain.com/start/#blabla-smelt-9ba20cc1\">Found</a>.\n\n"),
+				Body: ("<a href=\"https://test-domain.com/start/?trigger=redirect_from_ws_cluster#blabla-smelt-9ba20cc1\">Found</a>.\n\n"),
 			},
 		},
 		{
@@ -429,10 +429,10 @@ func TestRoutes(t *testing.T) {
 				Status: http.StatusFound,
 				Header: http.Header{
 					"Content-Type": {"text/html; charset=utf-8"},
-					"Location":     {"https://test-domain.com/start/#blabla-smelt-9ba20cc1"},
+					"Location":     {"https://test-domain.com/start/?trigger=redirect_from_ws_cluster#blabla-smelt-9ba20cc1"},
 					"Vary":         {"Accept-Encoding"},
 				},
-				Body: ("<a href=\"https://test-domain.com/start/#blabla-smelt-9ba20cc1\">Found</a>.\n\n"),
+				Body: ("<a href=\"https://test-domain.com/start/?trigger=redirect_from_ws_cluster#blabla-smelt-9ba20cc1\">Found</a>.\n\n"),
 			},
 		},
 		{