Skip to content
This repository has been archived by the owner on Jan 20, 2023. It is now read-only.

Support single-host mode of Che server. #11

Merged
merged 4 commits into from
Sep 4, 2019

Conversation

metlos
Copy link
Contributor

@metlos metlos commented Aug 26, 2019

What does this PR do?

Support single-host mode of Che server.

  • A custom URI prefix for the auth redirect can be configured. This is so
    that we can construct valid externally reachable URLs even behind a
    path-rewriting ingress
  • Change the order in which the auth token is located. First we try to
    find it in the query params, then in the Authorization header as a bearer
    token and only then in the cookie. This enables us to "refresh" the token
    from the client side easily.
  • On any error to validate the token (apart from the inability to parse the
    token in the first place) we know send the auth redirect instead of an
    error. This should help the client side refresh the token on timeouts, etc.
  • Do not set the cookie in the response if cookies are not enabled in the
    config.
  • Respond with 403 - Forbidden if cookies are not enabled. In this case
    the client needs to directly authenticate with the backend server.

What issues does this PR fix or reference?

eclipse-che/che#14189

@sleshchenko
Copy link
Member

FYI Travis CI build failed.

jwt/jwt_test.go:279:22: not enough arguments in call to jwt.Verify

* A custom URI prefix for the auth redirect can be configured. This is so
that we can construct valid externally reachable URLs even behind a
path-rewriting  ingress
* Change the order in which the auth token is located. First we try to
find it in the query params, then in the Authorization header as a bearer
token and only then in the cookie. This enables us to "refresh" the token
from the client side easily.
* On any error to validate the token (apart from the inability to parse the
token in the first place) we know send the auth redirect instead of an
error. This should help the client side refresh the token on timeouts, etc.
* Do not set the cookie in the response if cookies are not enabled in the
config.
* Respond with 403 - Forbidden if cookies are not enabled. In this case
the client needs to directly authenticate with the backend server.
@metlos
Copy link
Contributor Author

metlos commented Aug 27, 2019

FYI Travis CI build failed.

jwt/jwt_test.go:279:22: not enough arguments in call to jwt.Verify

Fixed. Silly me :)

@metlos
Copy link
Contributor Author

metlos commented Aug 29, 2019

Please don't merge this yet until we resolve the naming of the new config properties in eclipse-che/che#14335 (review)

jwt/jwt.go Show resolved Hide resolved
Copy link
Member

@sleshchenko sleshchenko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

Please take a look inline comments

@metlos metlos merged commit 71013a4 into eclipse-che:master Sep 4, 2019
@metlos metlos deleted the single-host branch July 7, 2021 14:51
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants