[server] JWT cookie management tests

[akosyakov]

Description

This PR:

• covers SessionHandler entirely with integration tests against DB
• makes the necessary refactoring to SessionHandler to allow brining back rate limiting for Public API

Summary generated by Copilot

🤖 Generated by Copilot at a8f6a38

Refactored the JWT authentication logic and tests in the server component. Extracted the AuthConfig type from config.ts and used a mock configuration object for testing. Added a new file session-handler.spec.db.ts with tests for the SessionHandler class. Simplified the tests in jwt.spec.ts by using a mock configuration object. Moved the toKeyPair function to a different file.

Related Issue(s)

Fixes #

How to test

• Start a Gitpod workspace on this PR and run tests.
• To validate that indeed would catch the issue, apply the bug:

diff --git a/components/server/src/session-handler.ts b/components/server/src/session-handler.ts
index ae8e7715e..088fe7538 100644
--- a/components/server/src/session-handler.ts
+++ b/components/server/src/session-handler.ts
@@ -116,7 +116,7 @@ export class SessionHandler {
                 throw new Error("Subject is missing from JWT session claims");
             }
 
-            return await this.userService.findUserById(subject, subject);
+            return await this.userService.findUserById(claims.subject, claims.subject);
         } catch (err) {
             log.warn("Failed to authenticate user with JWT Session", err);
             // Remove the existing cookie, to force the user to re-sing in, and hence refresh it

• Go further and rollback @svenefftinge's guard on user DB:

diff --git a/components/gitpod-db/src/typeorm/user-db-impl.ts b/components/gitpod-db/src/typeorm/user-db-impl.ts
index d1f76e043..d4c4e68bf 100644
--- a/components/gitpod-db/src/typeorm/user-db-impl.ts
+++ b/components/gitpod-db/src/typeorm/user-db-impl.ts
@@ -133,9 +133,9 @@ export class TypeORMUserDBImpl extends TransactionalDBImpl<UserDB> implements Us
     }
 
     public async findUserById(id: string): Promise<MaybeUser> {
-        if (!id || id.trim() === "") {
+        /*if (!id || id.trim() === "") {
             throw new ApplicationError(ErrorCodes.BAD_REQUEST, "Cannot find user without id");
-        }
+        }*/
         return this.cache.get(getUserCacheKey(id), async () => {
             const userRepo = await this.getUserRepo();
             const result = await userRepo.findOne(id);

In my case following tests are failing now with returning a wrong user

Test preview envs:

• Sign-in
• Start workspace
• Sign-out
• Try to break it somehow

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - ak-jwt-mand55a65b0f5
• 🔗 URL - ak-jwt-mand55a65b0f5.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.
• 📦 Version - ak-jwt_management_tests-gha.18870
• 🗒️ Logs - GCP Logs Explorer

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[akosyakov]

/gh run recreate-vm=true

Comment triggered a workflow run

Started workflow run: 6591498101

• recreate_vm: true

[akosyakov]

/gh run recreate-vm=true

Comment triggered a workflow run

Started workflow run: 6610090229

• recreate_vm: true

[akosyakov]

/unhold