Ak/revert (#18959)

* Revert "fix JWT verification (#18957)"

This reverts commit 90c3541.

* Revert "[public-api] add rate limiting in server (#18953)"

This reverts commit 01f100b.

Author: akosyakov

components/server/src/api/rate-limited.ts

@@ -30,13 +30,6 @@ import { APIStatsService as StatsServiceAPI } from "./stats";
 import { APITeamsService as TeamsServiceAPI } from "./teams";
 import { APIUserService as UserServiceAPI } from "./user";
 import { WorkspaceServiceAPI } from "./workspace-service-api";
-import { IRateLimiterOptions, RateLimiterMemory, RateLimiterRedis, RateLimiterRes } from "rate-limiter-flexible";
-import { Redis } from "ioredis";
-import { RateLimited } from "./rate-limited";
-import { Config } from "../config";
-import { ApplicationError, ErrorCodes } from "@gitpod/gitpod-protocol/lib/messaging/error";
-import { UserService } from "../user/user-service";
-import { User } from "@gitpod/gitpod-protocol";
 
 decorate(injectable(), PublicAPIConverter);
 
@@ -53,9 +46,6 @@ export class API {
     @inject(HelloServiceAPI) private readonly helloServiceApi: HelloServiceAPI;
     @inject(SessionHandler) private readonly sessionHandler: SessionHandler;
     @inject(PublicAPIConverter) private readonly apiConverter: PublicAPIConverter;
-    @inject(Redis) private readonly redis: Redis;
-    @inject(Config) private readonly config: Config;
-    @inject(UserService) private readonly userService: UserService;
 
     listenPrivate(): http.Server {
         const app = express();
@@ -184,30 +174,9 @@ export class API {
 
                     const context = args[1] as HandlerContext;
 
-                    const rateLimit = async (subjectId: string) => {
-                        const key = `${grpc_service}/${grpc_method}`;
-                        const options = self.config.rateLimits?.[key] || RateLimited.getOptions(target, prop);
-                        try {
-                            await self.getRateLimitter(options).consume(`${subjectId}_${key}`);
-                        } catch (e) {
-                            if (e instanceof RateLimiterRes) {
-                                throw new ConnectError("rate limit exceeded", Code.ResourceExhausted, {
-                                    // http compatibility, can be respected by gRPC clients as well
-                                    // instead of doing an ad-hoc retry, the client can wait for the given amount of seconds
-                                    "Retry-After": e.msBeforeNext / 1000,
-                                    "X-RateLimit-Limit": options.points,
-                                    "X-RateLimit-Remaining": e.remainingPoints,
-                                    "X-RateLimit-Reset": new Date(Date.now() + e.msBeforeNext),
-                                });
-                            }
-                            throw e;
-                        }
-                    };
-
                     const apply = async <T>(): Promise<T> => {
-                        const subjectId = await self.verify(context);
-                        await rateLimit(subjectId);
-                        context.user = await self.ensureFgaMigration(subjectId);
+                        const user = await self.verify(context);
+                        context.user = user;
 
                         return Reflect.apply(target[prop as any], target, args);
                     };
@@ -242,49 +211,16 @@ export class API {
         };
     }
 
-    private async verify(context: HandlerContext): Promise<string> {
-        const claims = await this.sessionHandler.verifyJWTCookie(context.requestHeader.get("cookie") || "");
-        const subjectId = claims?.sub;
-        if (!subjectId) {
+    private async verify(context: HandlerContext) {
+        const user = await this.sessionHandler.verify(context.requestHeader.get("cookie") || "");
+        if (!user) {
             throw new ConnectError("unauthenticated", Code.Unauthenticated);
         }
-        return subjectId;
-    }
-
-    private async ensureFgaMigration(userId: string): Promise<User> {
-        const fgaChecksEnabled = await isFgaChecksEnabled(userId);
+        const fgaChecksEnabled = await isFgaChecksEnabled(user.id);
         if (!fgaChecksEnabled) {
             throw new ConnectError("unauthorized", Code.PermissionDenied);
         }
-        try {
-            return await this.userService.findUserById(userId, userId);
-        } catch (e) {
-            if (e instanceof ApplicationError && e.code === ErrorCodes.NOT_FOUND) {
-                throw new ConnectError("unauthorized", Code.PermissionDenied);
-            }
-            throw e;
-        }
-    }
-
-    private readonly rateLimiters = new Map<string, RateLimiterRedis>();
-    private getRateLimitter(options: IRateLimiterOptions): RateLimiterRedis {
-        const sortedKeys = Object.keys(options).sort();
-        const sortedObject: { [key: string]: any } = {};
-        for (const key of sortedKeys) {
-            sortedObject[key] = options[key as keyof IRateLimiterOptions];
-        }
-        const key = JSON.stringify(sortedObject);
-
-        let rateLimiter = this.rateLimiters.get(key);
-        if (!rateLimiter) {
-            rateLimiter = new RateLimiterRedis({
-                storeClient: this.redis,
-                ...options,
-                insuranceLimiter: new RateLimiterMemory(options),
-            });
-            this.rateLimiters.set(key, rateLimiter);
-        }
-        return rateLimiter;
+        return user;
     }
 
     static bindAPI(bind: interfaces.Bind): void {

components/server/src/api/server.ts

@@ -21,9 +21,6 @@ import { UserAuthentication } from "../user/user-authentication";
 import { WorkspaceService } from "../workspace/workspace-service";
 import { API } from "./server";
 import { SessionHandler } from "../session-handler";
-import { Redis } from "ioredis";
-import { UserService } from "../user/user-service";
-import { Config } from "../config";
 
 const expect = chai.expect;
 
@@ -42,9 +39,6 @@ export class APITeamsServiceSpec {
         this.container.bind(WorkspaceService).toConstantValue({} as WorkspaceService);
         this.container.bind(UserAuthentication).toConstantValue({} as UserAuthentication);
         this.container.bind(SessionHandler).toConstantValue({} as SessionHandler);
-        this.container.bind(Config).toConstantValue({} as Config);
-        this.container.bind(Redis).toConstantValue({} as Redis);
-        this.container.bind(UserService).toConstantValue({} as UserService);
 
         // Clean-up database
         const typeorm = testContainer.get<TypeORM>(TypeORM);

components/server/src/api/teams.spec.db.ts

@@ -17,7 +17,6 @@ import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { filePathTelepresenceAware } from "@gitpod/gitpod-protocol/lib/env";
 import { WorkspaceClassesConfig } from "./workspace/workspace-classes";
 import { PrebuildRateLimiters } from "./workspace/prebuild-rate-limiter";
-import { IRateLimiterOptions } from "rate-limiter-flexible";
 
 export const Config = Symbol("Config");
 export type Config = Omit<
@@ -173,20 +172,9 @@ export interface ConfigSerialized {
 
     /**
      * The configuration for the rate limiter we (mainly) use for the websocket API
-     * @deprecated used for JSON-RPC API, for gRPC use rateLimits
      */
     rateLimiter: RateLimiterConfig;
 
-    /**
-     * The configuration for the rate limiter we use for the gRPC API.
-     * As a primary means use RateLimited decorator.
-     * Only use this if you need to adjst in production, make sure to apply changes to the decorator as well.
-     * Key is of the form `<grpc_service>/<grpc_method>`
-     */
-    rateLimits?: {
-        [key: string]: IRateLimiterOptions;
-    };
-
     /**
      * The address content service clients connect to
      * Example: content-service:8080

components/server/src/config.ts

@@ -15,7 +15,6 @@ import { Config } from "./config";
 import { WsNextFunction, WsRequestHandler } from "./express/ws-handler";
 import { reportJWTCookieIssued } from "./prometheus-metrics";
 import { UserService } from "./user/user-service";
-import { JwtPayload } from "jsonwebtoken";
 
 @injectable()
 export class SessionHandler {
@@ -104,15 +103,21 @@ export class SessionHandler {
     }
 
     async verify(cookie: string): Promise<User | undefined> {
+        const cookies = parseCookieHeader(cookie);
+        const jwtToken = cookies[this.getJWTCookieName(this.config)];
+        if (!jwtToken) {
+            log.debug("No JWT session present on request");
+            return undefined;
+        }
         try {
-            const claims = await this.verifyJWTCookie(cookie);
-            if (!claims) {
-                return undefined;
-            }
+            const claims = await this.authJWT.verify(jwtToken);
+            log.debug("JWT Session token verified", { claims });
+
             const subject = claims.sub;
             if (!subject) {
                 throw new Error("Subject is missing from JWT session claims");
             }
+
             return await this.userService.findUserById(subject, subject);
         } catch (err) {
             log.warn("Failed to authenticate user with JWT Session", err);
@@ -121,24 +126,6 @@ export class SessionHandler {
         }
     }
 
-    /**
-     * Verify the JWT session cookie.
-     * @throws only in case of programming errors, if the cookie is invalid, undefined is returned
-     * @param cookie - the cookie header value to verify
-     * @returns returns the claims of the JWT session cookie or undefined if the cookie is not present or invalid
-     */
-    async verifyJWTCookie(cookie: string): Promise<JwtPayload | undefined> {
-        const cookies = parseCookieHeader(cookie);
-        const jwtToken = cookies[this.getJWTCookieName(this.config)];
-        if (!jwtToken) {
-            log.debug("No JWT session present on request");
-            return undefined;
-        }
-        const claims = await this.authJWT.verify(jwtToken);
-        log.debug("JWT Session token verified", { claims });
-        return claims;
-    }
-
     public async createJWTSessionCookie(
         userID: string,
     ): Promise<{ name: string; value: string; opts: express.CookieOptions }> {