Refactor external auth providers to re-generate headers on demand #6687
Conversation
| @@ -23,8 +23,7 @@ export interface AuthCredentials { | |||
|
|
|||
| export interface HeaderCredential { | |||
| // We use function instead of property to prevent accidential top level serialization - we never want to store this data | |||
| getHeaders(): Record<string, string> | |||
| expiration: number | undefined | |||
There was a problem hiding this comment.
Exposing it in the API only complicates the code, we don't need it there.
| @@ -33,28 +37,43 @@ export class OpenTelemetryService { | |||
|
|
|||
| constructor() { | |||
| this.configSubscription = combineLatest( | |||
| externalAuthRefresh, | |||
There was a problem hiding this comment.
A little hack, as CodyTraceExport does not expose API which would allow us to add custom headers per request, so we need to create new instance of it every time headers changes.
Changes are simple though, diff is big due to indentation change.
There was a problem hiding this comment.
Hmm, this is not watertight. We could leak the credentials from site X to trace provider for site Y if the external auth refresh and resolved config timings are out of step.
Also because the external auth refresh pings for changes but doesn't carry the value (which seems good, it will catch up immediately) if there's some rapid changes to auth, maybe things can get out of step more easily.
Could you drop a TODO here and point to https://linear.app/sourcegraph/project/cody-auth-state-rewritecleanup-7ac1409cc579/overview or a task within it, that this state should be joined?
There was a problem hiding this comment.
Good point, I will add a TODO!
On a good side I do not think we would leak anything either way because I added safeguard to the function sending headers:
export function addAuthHeaders(auth: AuthCredentials, headers: Headers, url: URL): void {
// We want to be sure we sent authorization headers only to the valid endpoint
if (auth.credentials && url.host === new URL(auth.serverEndpoint).host) {So in worst case request won't pass because of missing credentials, but it will not leak them.
But I agree it's a problem regardless.
There was a problem hiding this comment.
Oh nice, I missed that guard. 👍
pkukielka
force-pushed
the
pkukielka/refactor-ext-auth-provider
branch
2 times, most recently
from
c9d62f0 to
1027505
Compare
| return credentials | ||
| } | ||
|
|
||
| async function createTokenCredentails( |
There was a problem hiding this comment.
| async function createTokenCredentails( | |
| async function createTokenCredentials( |
|
|
||
| return undefined | ||
| function createHeaderCredentails( |
There was a problem hiding this comment.
| function createHeaderCredentails( | |
| function createHeaderCredentials( |
|
|
||
| export class ExternalProviderAuthError extends Error {} | ||
|
|
||
| export function isExternalProviderAuthError(error: unknown): boolean { |
There was a problem hiding this comment.
Use a type predicate so the result of this check flows into TypeScript type inference, see https://www.typescriptlang.org/docs/handbook/2/narrowing.html#using-type-predicates
| export function isExternalProviderAuthError(error: unknown): boolean { | |
| export function isExternalProviderAuthError(error: unknown): error is ExternalAuthProvider { |
| @@ -33,28 +37,43 @@ export class OpenTelemetryService { | |||
|
|
|||
| constructor() { | |||
| this.configSubscription = combineLatest( | |||
| externalAuthRefresh, | |||
There was a problem hiding this comment.
Hmm, this is not watertight. We could leak the credentials from site X to trace provider for site Y if the external auth refresh and resolved config timings are out of step.
Also because the external auth refresh pings for changes but doesn't carry the value (which seems good, it will catch up immediately) if there's some rapid changes to auth, maybe things can get out of step more easily.
Could you drop a TODO here and point to https://linear.app/sourcegraph/project/cody-auth-state-rewritecleanup-7ac1409cc579/overview or a task within it, that this state should be joined?
| async getHeaders() { | ||
| try { | ||
| if (!_headersCache || hasExpired((await _headersCache)?.expiration)) { | ||
| _headersCache = getExternalProviderHeaders(externalProvider) |
There was a problem hiding this comment.
This isn't right. You can have two race in here and both call getExternalProviderHeaders one after the other.
Typical pattern would be to check the Promise you awaited is the one you're resetting, something like:
while (true) {
const observed = _headersCache;
if (!observed || hasExpired(await observed)?.expiration) {
if (observed !== _headersCache) {
continue; // retry
}
observed = _headersCache = getExternalProviderHeaders(externalProvider);
}
return (await observed).headers;
}| throw new Error(`Output of the external auth command is invalid: ${result}`) | ||
| } | ||
|
|
||
| if (credentials.expiration && hasExpired(credentials.expiration)) { |
There was a problem hiding this comment.
hasExpired already handles undefined as "not expired" so you can simplify this to skip credentials.expiration &&
pkukielka
force-pushed
the
pkukielka/refactor-ext-auth-provider
branch
from
1027505 to
f089485
Compare
pkukielka
force-pushed
the
pkukielka/refactor-ext-auth-provider
branch
from
f089485 to
9831df6
Compare
| @@ -33,28 +37,43 @@ export class OpenTelemetryService { | |||
|
|
|||
| constructor() { | |||
| this.configSubscription = combineLatest( | |||
| externalAuthRefresh, | |||
There was a problem hiding this comment.
Oh nice, I missed that guard. 👍
Changes
That PR eliminates annoying chat reload upon an token refresh if external auth provider is used.
It does so by splitting external auth provider evaluation into two steps which happens at different stages: config resolution and http request building.
At config resolution we only evaluate config itself and prepare a function which will be later used to generate auth headers later. That function (
getHeaders) is then used to obtain auth headers every time we are doing an authorised http request. Normally headers are cached, but if they expiregetHeadersshould internally refresh the cache and return an updated headers. If updated headers are still expired error will be shown to the user.In opposition to the previous solution errors in executing external provider command, or token expiration, does not lead
to the config invalidation - config always remains the same unless changed by the user. The only thing which changes is result of
getHeadersfunctions.Errors from
getHeadersare processed and handled in the same way as e.g.Network ErrororInvalid Access Token, so we do not need custom code to handle them.Test plan
Setup
Set
cody.auth.externalProvidersconfig to use provider which support credentials expiration.You can use configuration shown bellow.
Please also make sure you have proxy running and your sourcegraph server have http auth proxy enabled, as described in #6526.
{ "cody.auth.externalProviders": [ { "endpoint": "http://localhost:7777", "executable": { "commandLine": ["/Users/pkukielka/Work/sourcegraph/cody2/agent/scripts/simple-external-auth-provider.py"], "shell": "/bin/bash", } } ], "cody.override.serverEndpoint": "http://localhost:7777", }Scenario 1:
simple-external-auth-provider.pyshould be successfully signed-in assomeusersimple-external-auth-provider.pyand changecurrent_epoch = int(time.time()) + 30tocurrent_epoch = int(time.time()) - 30simple-external-auth-provider.pyScenario 2:
simple-external-auth-provider.pyshould be successfully signed-in assomeusersimple-external-auth-provider.pyand changecurrent_epoch = int(time.time()) + 30tocurrent_epoch = int(time.time()) - 30They should be successful, but when 30 sec will pas since last action before the
simple-external-auth-provider.pyedit, you should get an credential expiration errorsimple-external-auth-provider.pyScenario 3:
simple-external-auth-provider.pyand changecurrent_epoch = int(time.time()) + 30tocurrent_epoch = int(time.time()) - 30simple-external-auth-provider.py