Add an optional authentication mode for HTTP resources

src/core/public/application/capabilities/capabilities_service.tsx

@@ -37,8 +37,7 @@ export interface CapabilitiesStart {
  */
 export class CapabilitiesService {
   public async start({ appIds, http }: StartDeps): Promise<CapabilitiesStart> {
-    const route = http.anonymousPaths.isAnonymous(window.location.pathname) ? '/defaults' : '';
-    const capabilities = await http.post<Capabilities>(`/api/core/capabilities${route}`, {
+    const capabilities = await http.post<Capabilities>('/api/core/capabilities', {
       body: JSON.stringify({ applications: appIds }),
     });
 

src/core/server/capabilities/capabilities_service.test.ts

@@ -41,8 +41,8 @@ describe('CapabilitiesService', () => {
     });
 
     it('registers the capabilities routes', async () => {
-      expect(http.createRouter).toHaveBeenCalledWith('/api/core/capabilities');
-      expect(router.post).toHaveBeenCalledTimes(2);
+      expect(http.createRouter).toHaveBeenCalledWith('');
+      expect(router.post).toHaveBeenCalledTimes(1);
       expect(router.post).toHaveBeenCalledWith(expect.any(Object), expect.any(Function));
     });
 

src/core/server/capabilities/routes/index.ts

@@ -22,6 +22,6 @@ import { InternalHttpServiceSetup } from '../../http';
 import { registerCapabilitiesRoutes } from './resolve_capabilities';
 
 export function registerRoutes(http: InternalHttpServiceSetup, resolver: CapabilitiesResolver) {
-  const router = http.createRouter('/api/core/capabilities');
+  const router = http.createRouter('');
   registerCapabilitiesRoutes(router, resolver);
 }

src/core/server/capabilities/routes/resolve_capabilities.ts

@@ -22,30 +22,24 @@ import { IRouter } from '../../http';
 import { CapabilitiesResolver } from '../resolve_capabilities';
 
 export function registerCapabilitiesRoutes(router: IRouter, resolver: CapabilitiesResolver) {
-  // Capabilities are fetched on both authenticated and anonymous routes.
-  // However when `authRequired` is false, authentication is not performed
-  // and only default capabilities are returned (all disabled), even for authenticated users.
-  // So we need two endpoints to handle both scenarios.
-  [true, false].forEach(authRequired => {
-    router.post(
-      {
-        path: authRequired ? '' : '/defaults',
-        options: {
-          authRequired,
-        },
-        validate: {
-          body: schema.object({
-            applications: schema.arrayOf(schema.string()),
-          }),
-        },
+  router.post(
+    {
+      path: '/api/core/capabilities',
+      options: {
+        authRequired: 'optional',
       },
-      async (ctx, req, res) => {
-        const { applications } = req.body;
-        const capabilities = await resolver(req, applications);
-        return res.ok({
-          body: capabilities,
-        });
-      }
-    );
-  });
+      validate: {
+        body: schema.object({
+          applications: schema.arrayOf(schema.string()),
+        }),
+      },
+    },
+    async (ctx, req, res) => {
+      const { applications } = req.body;
+      const capabilities = await resolver(req, applications);
+      return res.ok({
+        body: capabilities,
+      });
+    }
+  );
 }

src/core/server/http/http_server.test.ts

@@ -810,7 +810,7 @@ test('exposes route details of incoming request to a route handler', async () =>
       method: 'get',
       path: '/',
       options: {
-        authRequired: true,
+        authRequired: false,
         tags: [],
       },
     });
@@ -922,7 +922,7 @@ test('exposes route details of incoming request to a route handler (POST + paylo
       method: 'post',
       path: '/',
       options: {
-        authRequired: true,
+        authRequired: false,
         tags: [],
         body: {
           parse: true, // hapi populates the default

src/core/server/http/http_server.ts

@@ -27,7 +27,7 @@ import { adoptToHapiOnPostAuthFormat, OnPostAuthHandler } from './lifecycle/on_p
 import { adoptToHapiOnPreAuthFormat, OnPreAuthHandler } from './lifecycle/on_pre_auth';
 import { adoptToHapiOnPreResponseFormat, OnPreResponseHandler } from './lifecycle/on_pre_response';
 
-import { IRouter } from './router';
+import { IRouter, RouteConfigOptions } from './router';
 import {
   SessionStorageCookieOptions,
   createCookieSessionStorageFactory,
@@ -148,15 +148,15 @@ export class HttpServer {
         this.log.debug(`registering route handler for [${route.path}]`);
         // Hapi does not allow payload validation to be specified for 'head' or 'get' requests
         const validate = ['head', 'get'].includes(route.method) ? undefined : { payload: true };
-        const { authRequired = true, tags, body = {} } = route.options;
+        const { authRequired, tags, body = {} } = route.options;
         const { accepts: allow, maxBytes, output, parse } = body;
+
         this.server.route({
           handler: route.handler,
           method: route.method,
           path: route.path,
           options: {
-            // Enforcing the comparison with true because plugins could overwrite the auth strategy by doing `options: { authRequired: authStrategy as any }`
-            auth: authRequired === true ? undefined : false,
+            auth: this.getAuthOption(authRequired),
             tags: tags ? Array.from(tags) : undefined,
             // TODO: This 'validate' section can be removed once the legacy platform is completely removed.
             // We are telling Hapi that NP routes can accept any payload, so that it can bypass the default
@@ -190,6 +190,20 @@ export class HttpServer {
     this.server = undefined;
   }
 
+  private getAuthOption(
+    authRequired: RouteConfigOptions<any>['authRequired'] = true
+  ): false | { mode: 'required' | 'optional' } {
+    if (this.authRegistered) {
+      if (authRequired === true) {
+        return { mode: 'required' };
+      }
+      if (authRequired === 'optional') {
+        return { mode: 'optional' };
+      }
+    }
+    return false;
+  }
+
   private setupBasePathRewrite(config: HttpConfig, basePathService: BasePath) {
     if (config.basePath === undefined || !config.rewriteBasePath) {
       return;
@@ -303,6 +317,11 @@ export class HttpServer {
             // where some plugin read directly from headers to identify whether a user is authenticated.
             Object.assign(req.headers, requestHeaders);
           }
+        },
+        (req, { responseHeaders }) => {
+          if (responseHeaders) {
+            this.authResponseHeaders.set(req, responseHeaders);
+          }
         }
       ),
     }));

src/core/server/http/http_service.mock.ts

@@ -115,6 +115,7 @@ const createOnPostAuthToolkitMock = (): jest.Mocked<OnPostAuthToolkit> => ({
 
 const createAuthToolkitMock = (): jest.Mocked<AuthToolkit> => ({
   authenticated: jest.fn(),
+  notHandled: jest.fn(),
 });
 
 const createOnPreResponseToolkitMock = (): jest.Mocked<OnPreResponseToolkit> => ({

src/core/server/http/integration_tests/lifecycle.test.ts

@@ -415,6 +415,23 @@ describe('Auth', () => {
       .expect(200, { content: 'ok' });
   });
 
+  it('blocks access to a resource if credentials are not recognized', async () => {
+    const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
+    const router = createRouter('/');
+
+    router.get({ path: '/', validate: false }, (context, req, res) =>
+      res.ok({ body: { content: 'ok' } })
+    );
+    registerAuth((req, res, t) => t.notHandled());
+    await server.start();
+
+    const result = await supertest(innerServer.listener)
+      .get('/')
+      .expect(401);
+
+    expect(result.body.message).toBe('Unauthorized');
+  });
+
   it('enables auth for a route by default if registerAuth has been called', async () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
@@ -684,6 +701,27 @@ describe('Auth', () => {
     expect(response.header['www-authenticate']).toBe(authResponseHeader['www-authenticate']);
   });
 
+  it('attach security header to not handled auth response', async () => {
+    const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
+    const router = createRouter('/');
+
+    const authResponseHeader = {
+      'www-authenticate': 'from auth interceptor',
+    };
+    registerAuth((req, res, toolkit) => {
+      return toolkit.notHandled({ responseHeaders: authResponseHeader });
+    });
+
+    router.get({ path: '/', validate: false }, (context, req, res) => res.ok());
+    await server.start();
+
+    const response = await supertest(innerServer.listener)
+      .get('/')
+      .expect(401);
+
+    expect(response.header['www-authenticate']).toBe(authResponseHeader['www-authenticate']);
+  });
+
   it('attach security header to an error response', async () => {
     const { registerAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');
@@ -865,7 +903,7 @@ describe('Auth', () => {
       ]
     `);
   });
-  // eslint-disable-next-line
+
   it(`doesn't share request object between interceptors`, async () => {
     const { registerOnPostAuth, server: innerServer, createRouter } = await server.setup(setupDeps);
     const router = createRouter('/');

src/core/server/http/integration_tests/router.test.ts

@@ -46,6 +46,114 @@ afterEach(async () => {
   await server.stop();
 });
 
+describe('Options', () => {
+  describe('authRequired', () => {
+    describe('optional', () => {
+      it('User has access to a route if auth mechanism not registered', async () => {
+        const { server: innerServer, createRouter } = await server.setup(setupDeps);
+        const router = createRouter('/');
+
+        router.get(
+          { path: '/', validate: false, options: { authRequired: 'optional' } },
+          (context, req, res) => res.ok({ body: 'ok' })
+        );
+        await server.start();
+
+        await supertest(innerServer.listener)
+          .get('/')
+          .expect(200, 'ok');
+      });
+
+      it('Authenticated user has access to a route', async () => {
+        const { server: innerServer, createRouter, registerAuth } = await server.setup(setupDeps);
+        const router = createRouter('/');
+
+        registerAuth((req, res, toolkit) => {
+          return toolkit.authenticated();
+        });
+        router.get(
+          { path: '/', validate: false, options: { authRequired: 'optional' } },
+          (context, req, res) => res.ok({ body: 'ok' })
+        );
+        await server.start();
+
+        await supertest(innerServer.listener)
+          .get('/')
+          .expect(200, 'ok');
+      });
+
+      it('User with not recognized credentials has access to a route', async () => {
+        const { server: innerServer, createRouter, registerAuth } = await server.setup(setupDeps);
+        const router = createRouter('/');
+        const authResponseHeader = {
+          'www-authenticate': 'from auth interceptor',
+        };
+
+        registerAuth((req, res, toolkit) => {
+          return toolkit.notHandled({
+            responseHeaders: authResponseHeader,
+          });
+        });
+        router.get(
+          { path: '/', validate: false, options: { authRequired: 'optional' } },
+          (context, req, res) => res.ok({ body: 'ok' })
+        );
+        await server.start();
+
+        const response = await supertest(innerServer.listener)
+          .get('/')
+          .expect(200, 'ok');
+
+        expect(response.header['www-authenticate']).toBe(authResponseHeader['www-authenticate']);
+      });
+    });
+    describe('true', () => {
+      it('Authenticated user has access to a route', async () => {
+        const { server: innerServer, createRouter, registerAuth } = await server.setup(setupDeps);
+        const router = createRouter('/');
+
+        registerAuth((req, res, toolkit) => {
+          return toolkit.authenticated();
+        });
+        router.get(
+          { path: '/', validate: false, options: { authRequired: 'optional' } },
+          (context, req, res) => res.ok({ body: 'ok' })
+        );
+        await server.start();
+
+        await supertest(innerServer.listener)
+          .get('/')
+          .expect(200, 'ok');
+      });
+
+      it('User with not recognized credentials has no access to a route', async () => {
+        const { server: innerServer, createRouter, registerAuth } = await server.setup(setupDeps);
+        const router = createRouter('/');
+        const authResponseHeader = {
+          'www-authenticate': 'from auth interceptor',
+        };
+
+        registerAuth((req, res, toolkit) => {
+          return toolkit.notHandled({
+            responseHeaders: authResponseHeader,
+          });
+        });
+        router.get(
+          { path: '/', validate: false, options: { authRequired: true } },
+          (context, req, res) => res.ok({ body: 'ok' })
+        );
+        await server.start();
+
+        const response = await supertest(innerServer.listener)
+          .get('/')
+          .expect(401);
+
+        expect(response.header['www-authenticate']).toBe(authResponseHeader['www-authenticate']);
+      });
+    });
+  });
+});
+
 describe('Handler', () => {
   it("Doesn't expose error details if handler throws", async () => {
     const { server: innerServer, createRouter } = await server.setup(setupDeps);