server, ui: login: template logged in user into index.html

[vilterp]

...instead of serving a static index.html generated at build time via a webpack plugin. This allows the UI to decide whether it needs to show a login UI (and show the logged in username if there is one) without making an additional request to the backend.

Fixes #25171

TODO:

• make sure this doesn't break make buildshort
• favicon not showing up
• tests
  • insecure: can get assets, index.html doesn't have user
  • secure
    • logged out: can get assets, index.html doesn't have user
    • logged in: can get assets, index.html has user
• fix race condition where health check endpoint crashes server before it's fully started up

Release note: None

[cockroach-teamcity]

This change is 

[couchand]

Reviewed 4 of 4 files at r1.
Review status: all files reviewed at latest revision, all discussions resolved, some commit checks failed.

---

pkg/server/authentication.go, line 309 at r1 (raw file):

	inner  http.Handler

	rejectIfUnauthenticated bool

suggest reversing the logic so the zero value is the safe one... allowAnonymous maybe?

---

pkg/server/authentication.go, line 313 at r1 (raw file):

func newAuthenticationMux(
	s *authenticationServer, inner http.Handler, rejectIfUnauthenticated bool,

suggest exposing two different constructors rather than passing in the bool

---

pkg/server/authentication.go, line 327 at r1 (raw file):

	username, httpCode, err := am.getSession(w, req)
	if am.rejectIfUnauthenticated && err != nil {
		http.Error(w, err.Error(), httpCode)

i think i made this comment on the original pr... i don't think we should be returning the error. we should log it, but the actor attempting to log in shouldn't be able to see details beyond the status code.

---

pkg/server/authentication.go, line 332 at r1 (raw file):

	newCtx := context.WithValue(req.Context(), loggedInUserKey{}, username)
	newReq := req.WithContext(newCtx)

probably worth updating tests to reflect this

---

pkg/server/server.go, line 1450 at r1 (raw file):

	log.Event(ctx, "added http endpoints")

	// Also throw the landing page in there. It won't work well, but it's better than a 404.

are you sure you want to move this all the way down here? if so, the comment isn't really relevant anymore...

---

pkg/server/server.go, line 1459 at r1 (raw file):

	})

	assetsHandler := func(writer http.ResponseWriter, request *http.Request) {

suggest moving this to a new file and adding tests for the various cases.

---

pkg/server/server.go, line 1478 at r1 (raw file):

			wrappedErr := errors.Wrap(err, "templating index.html")
			log.Error(ctx, wrappedErr)
			writer.WriteHeader(500)

http.Error?

---

pkg/ui/ui.go, line 101 at r1 (raw file):

		</script>

		<script src="protos.dll.js" type="text/javascript"></script>

if we can get these to be build-time rather than code-time, that would be ideal, but if that's too complicated hard-coding isn't that bad.

---

Comments from Reviewable

[mrtracy]

It's my opinion that, rather than having index.html be generated with "loggedInUser" set, we should have the authenticationMux set a second, non-httponly cookie on the outgoing response which contains the logged in user name. I think that the index.html generation here is a bit heavy-handed for this particular enhancement.

---

Review status: all files reviewed at latest revision, 8 unresolved discussions, some commit checks failed.

---

pkg/server/authentication.go, line 313 at r1 (raw file):

Previously, couchand (Andrew Couch) wrote…

suggest exposing two different constructors rather than passing in the bool

+1

---

pkg/server/authentication.go, line 327 at r1 (raw file):

Previously, couchand (Andrew Couch) wrote…

i think i made this comment on the original pr... i don't think we should be returning the error. we should log it, but the actor attempting to log in shouldn't be able to see details beyond the status code.

Agreed, this could unintentionally leak details to an unauthenticated client.

---

Comments from Reviewable

[couchand]

set a second, non-httponly cookie on the outgoing response ... the index.html generation here is a bit heavy-handed for this particular enhancement

a reasonable perspective, however, this also seems like a good strategy for addressing #19024

[vilterp]

Thanks @mrtracy; I hadn't really considered passing the username as a cookie accessible from JS.

In past projects, a server-templated JS object has proven useful for a lot of things (version, auth, data loading, feature flags, etc) so I figured it was worth introducing, despite maybe not being the most expedient way to do login.

[vilterp]

Review status: 1 of 4 files reviewed at latest revision, 8 unresolved discussions.

---

pkg/server/authentication.go, line 309 at r1 (raw file):

Previously, couchand (Andrew Couch) wrote…

suggest reversing the logic so the zero value is the safe one... allowAnonymous maybe?

Done.

---

pkg/server/authentication.go, line 313 at r1 (raw file):

Previously, mrtracy (Matt Tracy) wrote…

+1

Done, although the names are clunky. Lmk if you have better ideas.

---

pkg/server/server.go, line 1478 at r1 (raw file):

Previously, couchand (Andrew Couch) wrote…

http.Error?

Done. Thanks; this didn't seem idiomatic and somehow I forgot about http.Error.

---

pkg/ui/ui.go, line 101 at r1 (raw file):

Previously, couchand (Andrew Couch) wrote…

if we can get these to be build-time rather than code-time, that would be ideal, but if that's too complicated hard-coding isn't that bad.

Yeah, I couldn't think of a way of passing them that was worth the complexity. The names of the three bundles were hardcoded in the webpack config anyway, so we haven't really increased the amount of hardcoding.

---

Comments from Reviewable

[vilterp]

Update: after some debugging with Andrei, looks like the crash should be fixed by #24945. The problem was that in server.Start the healthcheck endpoint is exposed before the SQL executor is initialized. This was never a problem until authorization was turned on (with the env var), which causes it to run SQL to check the session. Once we exempt it from auth, it won't run SQL, as before.

[couchand]

Review status: 0 of 8 files reviewed at latest revision, 2 unresolved discussions.

---

pkg/server/authentication.go, line 313 at r1 (raw file):

Previously, vilterp (Pete Vilter) wrote…

Done, although the names are clunky. Lmk if you have better ideas.

I just removed "DisallowAnonymous" since that's considered the default.

---

pkg/server/authentication.go, line 327 at r1 (raw file):

Previously, mrtracy (Matt Tracy) wrote…

Agreed, this could unintentionally leak details to an unauthenticated client.

Updated to log the real error and then respond with a generic error.

---

Comments from Reviewable

[couchand]

@mrtracy would you please take one more look at this when you get a chance?

[mrtracy]

Review status: 0 of 8 files reviewed at latest revision, 2 unresolved discussions, some commit checks failed.

---

pkg/server/authentication.go, line 327 at r1 (raw file):

Previously, couchand (Andrew Couch) wrote…

Updated to log the real error and then respond with a generic error.

Isn't this going to log "Web Session Error" when you load up index.html the first time, without yet having logged in?

---

Comments from Reviewable

[mrtracy]

Had a comment on the log message for unauthenticated requests, otherwise this is

---

Review status: 0 of 8 files reviewed at latest revision, 2 unresolved discussions, some commit checks failed.

---

Comments from Reviewable

[couchand]

Review status: 0 of 8 files reviewed at latest revision, 2 unresolved discussions, some commit checks failed.

---

pkg/server/authentication.go, line 327 at r1 (raw file):

Previously, mrtracy (Matt Tracy) wrote…

Isn't this going to log "Web Session Error" when you load up index.html the first time, without yet having logged in?

Indeed. I think we still want to log if it hits any but the first conditional in getSession, or maybe this should just be moved into the if !am.allowAnonymous block?

Actually, I think getSession should just take into account am.allowAnonymous.

---

Comments from Reviewable

[couchand]

Reviewed 4 of 8 files at r2, 4 of 4 files at r3.
Review status: all files reviewed at latest revision, 2 unresolved discussions.

---

pkg/server/authentication.go, line 327 at r1 (raw file):

Previously, couchand (Andrew Couch) wrote…

Indeed. I think we still want to log if it hits any but the first conditional in getSession, or maybe this should just be moved into the if !am.allowAnonymous block?

Actually, I think getSession should just take into account am.allowAnonymous.

Nevermind on that last point, it's too much work for too little benefit. I just pushed it inside the if !am.allowAnonymous block.

---

Comments from Reviewable

[couchand]

bors r+

[craig]

Build succeeded

• GitHub CI (Cockroach)