-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: local mode token protection (#245)
Co-authored-by: UncleGedd <42304551+UncleGedd@users.noreply.github.com> Co-authored-by: Tristan Holaday <40547442+TristanHoladay@users.noreply.github.com>
- Loading branch information
1 parent
a99bc23
commit d356940
Showing
29 changed files
with
571 additions
and
55 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,42 @@ | ||
name: API Auth Tests | ||
on: | ||
workflow_call: | ||
pull_request: | ||
branches: [main] | ||
types: [milestoned, opened, edited, synchronize] | ||
paths-ignore: | ||
- "**.md" | ||
- "**.jpg" | ||
- "**.png" | ||
- "**.gif" | ||
- "**.svg" | ||
- "adr/**" | ||
- "docs/**" | ||
- "CODEOWNERS" | ||
- "goreleaser.yml" | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
tests: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | ||
|
||
- name: Setup Environment (Go, Node, Homebrew, UDS CLI, k3d) | ||
uses: ./.github/actions/setup | ||
|
||
- name: Run tests | ||
run: uds run test:api-auth | ||
timeout-minutes: 30 | ||
|
||
- name: Debug Output | ||
uses: defenseunicorns/uds-common/.github/actions/debug-output@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2 | ||
|
||
- name: Save logs | ||
if: always() | ||
uses: defenseunicorns/uds-common/.github/actions/save-logs@76287d41ec5f06ecbdd0a6453877a78675aceffe # v0.11.2 | ||
with: | ||
suffix: api-auth |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,6 +28,7 @@ vite.config.ts.timestamp-* | |
zarf-sbom | ||
tmp/ | ||
*.tar.zst | ||
.vscode/ | ||
|
||
*.pem | ||
.github/test-infra/**/.terraform* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# API AUTHENTICATION | ||
|
||
API authentication is used to prevent unauthorized access to the API from other processes when running UDS Runtime locally. The API uses a token-based authentication system. The token is generated by the backend server and is used to authenticate the user. API authentication is enabled by default, to disable it you can set the `API_AUTH_DISABLED` environment variable to true. | ||
|
||
How does the frontend authenticate? | ||
- Backend generates a token when it is started up and launches UDS Runtime in the browser. | ||
- i.e.(Runtime API connection: `http://127.0.0.1:8080/auth?token=r1hrQ9CcuZMKpY2egjsPrzmge3-YqfqOHjmlIOvdKrLGOLnHPgFWt3dzsdkHwzDdXQAfRRHiH~rbGEx7Jc7rTxTd4riCuqGH`) | ||
- Frontend hits the /auth-status endpoint to see if API authentication is enabled. | ||
- This is done so that the frontend can get the value of the `API_AUTH_DISABLED` environment variable at runtime. | ||
- The frontend passes the token as a query parameter in the URL to the backend to authenticate the user. | ||
- When authenticated, the token is stored in `sessionStorage` and is valid for the duration of the page session. | ||
- The token is then used when creating the EventSources for the various views. | ||
- Reauthentication is possible by hitting the /auth endpoint with the token as a query parameter. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
// SPDX-License-Identifier: Apache-2.0 | ||
// SPDX-FileCopyrightText: 2024-Present The UDS Authors | ||
|
||
package auth | ||
|
||
import ( | ||
"crypto/rand" | ||
) | ||
|
||
// Very limited special chars for git / basic auth | ||
// https://owasp.org/www-community/password-special-characters has complete list of safe chars. | ||
const randomStringChars = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~-" | ||
|
||
// RandomString generates a secure random string of the specified length. | ||
func RandomString(length int) (string, error) { | ||
bytes := make([]byte, length) | ||
|
||
if _, err := rand.Read(bytes); err != nil { | ||
return "", err | ||
} | ||
|
||
for i, b := range bytes { | ||
bytes[i] = randomStringChars[b%byte(len(randomStringChars))] | ||
} | ||
|
||
return string(bytes), nil | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
// SPDX-License-Identifier: Apache-2.0 | ||
// SPDX-FileCopyrightText: 2024-Present The UDS Authors | ||
|
||
// Package auth provides an endpoint for authenticating against the runtime server. | ||
package auth | ||
|
||
import ( | ||
"net/http" | ||
) | ||
|
||
// RequireSecret ensures the request has a valid token. | ||
func RequireSecret(validToken string) func(http.Handler) http.Handler { | ||
return func(next http.Handler) http.Handler { | ||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { | ||
token := r.URL.Query().Get("token") | ||
if token != validToken { | ||
w.WriteHeader(http.StatusUnauthorized) | ||
return | ||
} | ||
|
||
next.ServeHTTP(w, r) | ||
}) | ||
} | ||
} | ||
|
||
// Connect is a head-only request to test the connection. | ||
func Connect(w http.ResponseWriter, _ *http.Request) { | ||
w.WriteHeader(http.StatusOK) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.