Skip to content
This repository has been archived by the owner on Jan 20, 2023. It is now read-only.

Support single-host mode of Che server. #11

Merged
merged 4 commits into from
Sep 4, 2019
Merged

Support single-host mode of Che server. #11

merged 4 commits into from
Sep 4, 2019

Conversation

metlos
Copy link
Contributor

@metlos metlos commented Aug 26, 2019

What does this PR do?

Support single-host mode of Che server.

  • A custom URI prefix for the auth redirect can be configured. This is so
    that we can construct valid externally reachable URLs even behind a
    path-rewriting ingress
  • Change the order in which the auth token is located. First we try to
    find it in the query params, then in the Authorization header as a bearer
    token and only then in the cookie. This enables us to "refresh" the token
    from the client side easily.
  • On any error to validate the token (apart from the inability to parse the
    token in the first place) we know send the auth redirect instead of an
    error. This should help the client side refresh the token on timeouts, etc.
  • Do not set the cookie in the response if cookies are not enabled in the
    config.
  • Respond with 403 - Forbidden if cookies are not enabled. In this case
    the client needs to directly authenticate with the backend server.

What issues does this PR fix or reference?

eclipse-che/che#14189

@metlos metlos mentioned this pull request Aug 26, 2019
Merged
@sleshchenko
Copy link
Member

FYI Travis CI build failed.

jwt/jwt_test.go:279:22: not enough arguments in call to jwt.Verify

@metlos
Support single-host mode of Che server.
bf50951 
* A custom URI prefix for the auth redirect can be configured. This is so
that we can construct valid externally reachable URLs even behind a
path-rewriting  ingress
* Change the order in which the auth token is located. First we try to
find it in the query params, then in the Authorization header as a bearer
token and only then in the cookie. This enables us to "refresh" the token
from the client side easily.
* On any error to validate the token (apart from the inability to parse the
token in the first place) we know send the auth redirect instead of an
error. This should help the client side refresh the token on timeouts, etc.
* Do not set the cookie in the response if cookies are not enabled in the
config.
* Respond with 403 - Forbidden if cookies are not enabled. In this case
the client needs to directly authenticate with the backend server.
@metlos
Copy link
Contributor Author

metlos commented Aug 27, 2019

FYI Travis CI build failed.

jwt/jwt_test.go:279:22: not enough arguments in call to jwt.Verify

Fixed. Silly me :)

@metlos
Copy link
Contributor Author

metlos commented Aug 29, 2019

Please don't merge this yet until we resolve the naming of the new config properties in eclipse-che/che#14335 (review)

sleshchenko
sleshchenko reviewed Sep 2, 2019
View reviewed changes
jwt/jwt.go Show resolved Hide resolved
sleshchenko
sleshchenko approved these changes Sep 2, 2019
View reviewed changes
Copy link
Member

@sleshchenko sleshchenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Please take a look inline comments

@metlos metlos merged commit 71013a4 into eclipse-che:master Sep 4, 2019
@amisevsk amisevsk mentioned this pull request Sep 25, 2019
Closed
8 tasks
@metlos metlos deleted the single-host branch July 7, 2021 14:51
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@skabashnyuk skabashnyuk skabashnyuk approved these changes

@sleshchenko sleshchenko sleshchenko approved these changes

@mshaposhnik mshaposhnik Awaiting requested review from mshaposhnik

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@metlos @sleshchenko @skabashnyuk