[dummy] auth

Author: akosyakov

components/server/src/api/dummy.ts

@@ -4,19 +4,20 @@
  * See License.AGPL.txt in the project root for license information.
  */
 
-import { HandlerContext, ServiceImpl } from "@bufbuild/connect";
+import { Code, ConnectError, HandlerContext, ServiceImpl } from "@bufbuild/connect";
+import { User } from "@gitpod/gitpod-protocol";
 import { HelloService } from "@gitpod/public-api/lib/gitpod/experimental/v1/dummy_connectweb";
 import {
     LotsOfRepliesRequest,
     LotsOfRepliesResponse,
     SayHelloRequest,
     SayHelloResponse,
 } from "@gitpod/public-api/lib/gitpod/experimental/v1/dummy_pb";
-import { injectable } from "inversify";
+import { inject, injectable } from "inversify";
+import { SessionHandler } from "../session-handler";
 
 /**
  * TODO(ak):
- * - auth
  * - server-side observability
  * - client-side observability
  * - rate limitting
@@ -27,25 +28,40 @@ import { injectable } from "inversify";
  */
 @injectable()
 export class APIHelloService implements ServiceImpl<typeof HelloService> {
+    constructor(
+        @inject(SessionHandler)
+        private readonly sessionHandler: SessionHandler,
+    ) {}
+
     async sayHello(req: SayHelloRequest, context: HandlerContext): Promise<SayHelloResponse> {
+        const user = await this.authUser(context);
         const response = new SayHelloResponse();
-        response.reply = "Hello " + this.getSubject();
+        response.reply = "Hello " + this.getSubject(user);
         return response;
     }
     async *lotsOfReplies(req: LotsOfRepliesRequest, context: HandlerContext): AsyncGenerator<LotsOfRepliesResponse> {
+        const user = await this.authUser(context);
         let count = req.previousCount || 0;
         while (true) {
             const response = new LotsOfRepliesResponse();
-            response.reply = `Hello ${this.getSubject()} ${count}`;
+            response.reply = `Hello ${this.getSubject(user)} ${count}`;
             response.count = count;
             yield response;
             count++;
             await new Promise((resolve) => setTimeout(resolve, 30000));
         }
     }
 
-    private getSubject(): string {
-        // TODO(ak) get identify from JWT
-        return "World";
+    private getSubject(user: User): string {
+        return User.getName(user) || "World";
+    }
+
+    // TODO(ak) decorate
+    private async authUser(context: HandlerContext) {
+        const user = await this.sessionHandler.verify(context.requestHeader.get("cookie"));
+        if (!user) {
+            throw new ConnectError("unauthenticated", Code.Unauthenticated);
+        }
+        return user;
     }
 }

components/server/src/server.ts

@@ -307,6 +307,7 @@ export class Server {
         log.info("Registered Bitbucket Server app at " + BitbucketServerApp.path);
         app.use(BitbucketServerApp.path, this.bitbucketServerApp.router);
 
+        // TODO(ak) move to own app on port 3001
         app.use(this.api.apiRouter);
     }
 

components/server/src/session-handler.ts

@@ -8,6 +8,7 @@ import express from "express";
 import { inject, injectable } from "inversify";
 import websocket from "ws";
 
+import { User } from "@gitpod/gitpod-protocol";
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { AuthJWT } from "./auth/jwt";
 import { Config } from "./config";
@@ -90,38 +91,37 @@ export class SessionHandler {
     // On failure, the next handler is called and the `req.user` is not set. Some APIs/Websocket RPCs do
     // not require authentication, and as such we cannot fail the request at this stage.
     protected async handler(req: express.Request, next: express.NextFunction): Promise<void> {
-        const cookies = parseCookieHeader(req.headers.cookie || "");
+        const user = await this.verify(req.headers.cookie || "");
+        if (user) {
+            // We set the user object on the request to signal the user is authenticated.
+            // Passport uses the `user` property on the request to determine if the session
+            // is authenticated.
+            req.user = user;
+        }
+
+        next();
+    }
+
+    async verify(cookie: string): Promise<User | undefined> {
+        const cookies = parseCookieHeader(cookie);
         const jwtToken = cookies[this.getJWTCookieName(this.config)];
         if (!jwtToken) {
             log.debug("No JWT session present on request");
-            next();
-            return;
+            return undefined;
         }
-
         try {
             const claims = await this.authJWT.verify(jwtToken);
-            log.debug("JWT Session token verified", {
-                claims,
-            });
+            log.debug("JWT Session token verified", { claims });
 
             const subject = claims.sub;
             if (!subject) {
                 throw new Error("Subject is missing from JWT session claims");
             }
 
-            const user = await this.userService.findUserById(subject, subject);
-
-            // We set the user object on the request to signal the user is authenticated.
-            // Passport uses the `user` property on the request to determine if the session
-            // is authenticated.
-            req.user = user;
-
-            // Trigger the next middleware in the chain.
-            next();
+            return await this.userService.findUserById(subject, subject);
         } catch (err) {
             log.warn("Failed to authenticate user with JWT Session", err);
-            // Remove the existing cookie, to force the user to re-sing in, and hence refresh it
-            next();
+            return undefined;
         }
     }