[app] Implement Authentication

Author: ricoberger

CHANGELOG.md

@@ -20,7 +20,7 @@ NOTE: As semantic versioning states all 0.y.z releases can contain breaking chan
 - [#399](https://github.com/kobsio/kobs/pull/399): [github] Add new `usernotifications` panel and allow users to use the plugin within the Notifications.
 - [#401](https://github.com/kobsio/kobs/pull/401): [app] Add integrations for Kubernetes Resource, which allows administrators to define a set of default dashboards, which are added to each resource.
 - [#402](https://github.com/kobsio/kobs/pull/402): [app] Add `mongodb` driver as alternative to the existing `bolt` driver.
-- [#406](https://github.com/kobsio/kobs/pull/406): [app] Implement authentication, so that no third party service like [OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) is required to grant users access to kobs.
+- [#406](https://github.com/kobsio/kobs/pull/406): [app] :warning: _Breaking change:_ :warning: Implement authentication, so that no third party service like [OAuth2-Proxy](https://oauth2-proxy.github.io/oauth2-proxy/) is required to grant users access to kobs.
 - [#407](https://github.com/kobsio/kobs/pull/407): [sql] Add `singlestats` chart to render single values returned by a query.
 - [#411](https://github.com/kobsio/kobs/pull/411): [sql] Add `yAxisGroup` property for charts.
 

pkg/hub/auth/auth.go

@@ -4,6 +4,8 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
+	"net/url"
+	"strings"
 	"time"
 
 	authContext "github.com/kobsio/kobs/pkg/hub/auth/context"
@@ -112,7 +114,7 @@ func (c *client) getUserFromConfig(email string) *UserConfig {
 // handle this within other API calls, because we will always have a valid user object there.
 func (c *client) getUserFromRequest(r *http.Request) (*authContext.User, error) {
 	if c.config.Enabled {
-		cookie, err := r.Cookie("kobs-auth")
+		cookie, err := r.Cookie("kobs")
 		if err != nil {
 			return nil, err
 		}
@@ -145,11 +147,11 @@ func (c *client) userHandler(w http.ResponseWriter, r *http.Request) {
 	render.JSON(w, r, user)
 }
 
-// loginHandler handles the login of users, which are provided via the configuration file of the hub. For that we have
+// signinHandler handles the login of users, which are provided via the configuration file of the hub. For that we have
 // to check if the user from the request is present in the configuration and if the provided password matches the
 // configured password. If this is the case we are are creating a user object with all the users permissions and using
 // it in the session token. The session token is then set as cookie, so it can be validated with each request.
-func (c *client) loginHandler(w http.ResponseWriter, r *http.Request) {
+func (c *client) signinHandler(w http.ResponseWriter, r *http.Request) {
 	var loginRequest LoginRequest
 
 	err := json.NewDecoder(r.Body).Decode(&loginRequest)
@@ -193,42 +195,51 @@ func (c *client) loginHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	http.SetCookie(w, &http.Cookie{
-		Name:     "kobs-auth",
+		Name:     "kobs",
 		Value:    token,
 		Path:     "/",
-		Secure:   false,
+		Secure:   true,
 		HttpOnly: true,
 		Expires:  time.Now().Add(c.config.Session.ParsedInterval),
 	})
 
-	render.JSON(w, r, user)
+	render.JSON(w, r, nil)
 }
 
-// logoutHandler handles the logout for an user. For this we are setting the value of the auth cookie to an empty string
-// and we adjust the expiration date of the cookie. Finally we redirect the user to the start page of kobs, we the auth
-// context fails and the user has to do the auth flow again.
-func (c *client) logoutHandler(w http.ResponseWriter, r *http.Request) {
+// signoutHandler handles the logout for an user. For this we are setting the value of the auth cookie to an empty
+// string and we adjust the expiration date of the cookie.
+func (c *client) signoutHandler(w http.ResponseWriter, r *http.Request) {
 	http.SetCookie(w, &http.Cookie{
-		Name:     "kobs-auth",
+		Name:     "kobs",
 		Value:    "",
 		Path:     "/",
-		Secure:   false,
+		Secure:   true,
 		HttpOnly: true,
 		Expires:  time.Unix(0, 0),
 	})
 
-	http.Redirect(w, r, "/", http.StatusSeeOther)
+	render.JSON(w, r, nil)
 }
 
-// oidcRedirectHandler redirects a user to the configured OIDC provider to start the login flow. If no OIDC provider was
-// configured we redirect the user to the frontend.
-func (c *client) oidcRedirectHandler(w http.ResponseWriter, r *http.Request) {
+// oidcRedirectHandler returns the login for the OIDC provider, which can then be used by the user to authenticate via
+// the configured provider. If no OIDC provider is configured this will return an error.
+//
+// We also "abusing" the state parameter by adding a redirect url, so that we have access to this url in the
+// oidcCallbackHandler and that we can redirect the user to this url.
+func (c *client) oidcHandler(w http.ResponseWriter, r *http.Request) {
 	if c.oidcConfig == nil || c.oidcProvider == nil {
-		http.Redirect(w, r, "/", http.StatusSeeOther)
+		log.Warn(r.Context(), "OIDC provider is not configured")
+		errresponse.Render(w, r, nil, http.StatusBadRequest, "OIDC provider is not configured")
 		return
 	}
 
-	http.Redirect(w, r, c.oidcConfig.AuthCodeURL(c.config.OIDC.State), http.StatusFound)
+	data := struct {
+		URL string `json:"url"`
+	}{
+		c.oidcConfig.AuthCodeURL(c.config.OIDC.State + url.QueryEscape(r.URL.Query().Get("redirect"))),
+	}
+
+	render.JSON(w, r, data)
 }
 
 // oidcCallbackHandler handles the callback from the OIDC login flow. Once we finished the OIDC flow and retrieved the
@@ -240,8 +251,10 @@ func (c *client) oidcCallbackHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if r.URL.Query().Get("state") != c.config.OIDC.State {
-		log.Warn(r.Context(), "Invalid state")
+	state := r.URL.Query().Get("state")
+
+	if !strings.HasPrefix(state, c.config.OIDC.State) {
+		log.Warn(r.Context(), "Invalid state", zap.String("state", state))
 		errresponse.Render(w, r, nil, http.StatusBadRequest, "Invalid state")
 		return
 	}
@@ -295,15 +308,21 @@ func (c *client) oidcCallbackHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	http.SetCookie(w, &http.Cookie{
-		Name:     "kobs-auth",
+		Name:     "kobs",
 		Value:    token,
 		Path:     "/",
-		Secure:   false,
+		Secure:   true,
 		HttpOnly: true,
 		Expires:  time.Now().Add(c.config.Session.ParsedInterval),
 	})
 
-	render.JSON(w, r, user)
+	data := struct {
+		URL string `json:"url"`
+	}{
+		strings.TrimPrefix(state, c.config.OIDC.State),
+	}
+
+	render.JSON(w, r, data)
 }
 
 // NewClient returns a new auth client for handling authentication and authorization within the kobs hub. The auth
@@ -349,9 +368,9 @@ func NewClient(config Config, storeClient store.Client) (Client, error) {
 	}
 
 	c.router.Get("/", c.userHandler)
-	c.router.Post("/login", c.loginHandler)
-	c.router.Get("/logout", c.logoutHandler)
-	c.router.Get("/oidc", c.oidcRedirectHandler)
+	c.router.Post("/signin", c.signinHandler)
+	c.router.Get("/signout", c.signoutHandler)
+	c.router.Get("/oidc", c.oidcHandler)
 	c.router.Get("/oidc/callback", c.oidcCallbackHandler)
 
 	return c, nil

pkg/hub/auth/auth_test.go

@@ -51,7 +51,7 @@ func TestMiddlewareHandler(t *testing.T) {
 			expectedStatusCode: http.StatusUnauthorized,
 			expectedBody:       "{\"error\":\"Unauthorized: token contains an invalid number of segments\"}\n",
 			prepareRequest: func(r *http.Request) {
-				r.AddCookie(&http.Cookie{Name: "kobs-auth", Value: "fake"})
+				r.AddCookie(&http.Cookie{Name: "kobs", Value: "fake"})
 			},
 		},
 		{
@@ -61,7 +61,7 @@ func TestMiddlewareHandler(t *testing.T) {
 			expectedBody:       "null\n",
 			prepareRequest: func(r *http.Request) {
 				token, _ := jwt.CreateToken(authContext.User{Email: "user1@kobs.io"}, "", 10*time.Minute)
-				r.AddCookie(&http.Cookie{Name: "kobs-auth", Value: token})
+				r.AddCookie(&http.Cookie{Name: "kobs", Value: token})
 			},
 		},
 	} {
@@ -183,7 +183,7 @@ func TestUserHandler(t *testing.T) {
 			expectedStatusCode: http.StatusUnauthorized,
 			expectedBody:       "{\"error\":\"Unauthorized: token contains an invalid number of segments\"}\n",
 			prepareRequest: func(r *http.Request) {
-				r.AddCookie(&http.Cookie{Name: "kobs-auth", Value: "fake"})
+				r.AddCookie(&http.Cookie{Name: "kobs", Value: "fake"})
 			},
 		},
 		{
@@ -193,7 +193,7 @@ func TestUserHandler(t *testing.T) {
 			expectedBody:       "{\"email\":\"user1@kobs.io\",\"teams\":null,\"permissions\":{}}\n",
 			prepareRequest: func(r *http.Request) {
 				token, _ := jwt.CreateToken(authContext.User{Email: "user1@kobs.io"}, "", 10*time.Minute)
-				r.AddCookie(&http.Cookie{Name: "kobs-auth", Value: token})
+				r.AddCookie(&http.Cookie{Name: "kobs", Value: token})
 			},
 		},
 	} {
@@ -209,7 +209,7 @@ func TestUserHandler(t *testing.T) {
 	}
 }
 
-func TestLoginHandler(t *testing.T) {
+func TestSigninHandler(t *testing.T) {
 	for _, tt := range []struct {
 		name               string
 		client             client
@@ -277,7 +277,7 @@ func TestLoginHandler(t *testing.T) {
 			client:             client{config: Config{Enabled: true, Users: []UserConfig{{Email: "admin", Password: "$2y$10$UPPBv.HThEllgJZINbFwYOsru62d.LT0EqG3XLug2pG81IvemopH2"}}}},
 			requestBody:        "{\"email\":\"admin\", \"password\":\"fakepassword\"}\n",
 			expectedStatusCode: http.StatusOK,
-			expectedBody:       "{\"email\":\"admin\",\"teams\":null,\"permissions\":{}}\n",
+			expectedBody:       "null\n",
 			prepareStoreClient: func(mockStoreClient *store.MockClient) {
 				mockStoreClient.On("GetUsersByEmail", mock.Anything, mock.Anything).Return(nil, nil)
 				mockStoreClient.AssertNotCalled(t, "GetTeamsByGroups", mock.Anything, mock.Anything)
@@ -292,7 +292,7 @@ func TestLoginHandler(t *testing.T) {
 
 			req, _ := http.NewRequestWithContext(context.Background(), http.MethodPost, "/", bytes.NewBuffer([]byte(tt.requestBody)))
 			w := httptest.NewRecorder()
-			tt.client.loginHandler(w, req)
+			tt.client.signinHandler(w, req)
 
 			require.Equal(t, tt.expectedStatusCode, w.Code)
 			require.Equal(t, tt.expectedBody, string(w.Body.Bytes()))
@@ -301,27 +301,27 @@ func TestLoginHandler(t *testing.T) {
 	}
 }
 
-func TestLogoutHandler(t *testing.T) {
+func TestSignoutHandler(t *testing.T) {
 	c := client{
 		router: chi.NewRouter(),
 	}
 
 	req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/", nil)
 	w := httptest.NewRecorder()
-	c.logoutHandler(w, req)
-	require.Equal(t, http.StatusSeeOther, w.Code)
+	c.signoutHandler(w, req)
+	require.Equal(t, http.StatusOK, w.Code)
 }
 
-func TestOidcRedirectHandler(t *testing.T) {
+func TestOidcHandler(t *testing.T) {
 	t.Run("oidc not configured", func(t *testing.T) {
 		c := client{
 			router: chi.NewRouter(),
 		}
 
 		req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/", nil)
 		w := httptest.NewRecorder()
-		c.oidcRedirectHandler(w, req)
-		require.Equal(t, http.StatusSeeOther, w.Code)
+		c.oidcHandler(w, req)
+		require.Equal(t, http.StatusBadRequest, w.Code)
 	})
 
 	t.Run("redirect", func(t *testing.T) {
@@ -342,8 +342,8 @@ func TestOidcRedirectHandler(t *testing.T) {
 
 		req, _ := http.NewRequestWithContext(context.Background(), http.MethodGet, "/", nil)
 		w := httptest.NewRecorder()
-		c.oidcRedirectHandler(w, req)
-		require.Equal(t, http.StatusFound, w.Code)
+		c.oidcHandler(w, req)
+		require.Equal(t, http.StatusOK, w.Code)
 	})
 }