apiv2: accept cookie auth when header is non-empty #84617
Conversation
|
This change is |
There was a problem hiding this comment.
May I recommend a release note in category "security update" that explains the change, e.g. "The /api/v2 HTTP endpoints now accept authentication information using a cookie (FIXME: insert required cookie name here), as long as the X-Cockroach-API-Session header is also present in the request and has a non-empty value."
I would also like to suggest that you fix the expected value of the header to a specific string, e.g. yes in your test, and make it part of your check. This way, we could use different values in the header in the future to support multiple authn protocols side-by-side.
Reviewed 3 of 4 files at r1, all commit messages.
Reviewable status:complete! 0 of 0 LGTMs obtained (waiting on @erikgrinaker, @kpatron-cockroachlabs, and @xinhaoz)
There was a problem hiding this comment.
For my own curiosity, is there a reason we use a custom header for the API token instead of the standard Authorization: Bearer <value> pattern?
From a person only looking at the client interactions it may make things slightly easier to understand if we use a separate header for CSRF protection vs API token.
Reviewable status:
There was a problem hiding this comment.
@knz do you know of a historical reason why we don't use the Authorization: Bearer pattern?
@kpatron-cockroachlabs thanks for the suggestion. Perhaps I'll use X-Cockroach-API-Auth with a value of cookie to handle this particular case.
Reviewable status:
When this was first implemented I have a vague recollection of us (@bdarnell , @itsbilal and I) discussing CSRF protection and one of us determined a custom header was an existing established practice. Maybe Ben and/or Bilal can comment further? |
There was a problem hiding this comment.
My understanding is the Authorization header should also satisfy those CSRF protections as well.
Reviewable status:
There was a problem hiding this comment.
I tested my changes on top of this and everything works as expected. Thanks for this, David!
Reviewed 1 of 4 files at r1, all commit messages.
Reviewable status:
This commit adds the v1 Insights page to the DB Console, via the cluster-ui package. The v1 Insights page only includes a Transactions Insights overview page, populated with information served a new "endpoint" built on top of the SQL-over-HTTP API. Note this PR is dependent on the changes in cockroachdb#84617 and xinhaoz/cockroach@c069738.. Release note (ui change): Added new Insights page to DB Console
This commit adds the v1 Insights page to the DB Console, via the cluster-ui package. The v1 Insights page only includes a Transactions Insights overview page, populated with information served a new "endpoint" built on top of the SQL-over-HTTP API. Note this PR is dependent on the changes in cockroachdb#84617 and xinhaoz/cockroach@c069738.. Release note (ui change): Added new Insights page to DB Console
This commit adds the v1 Insights page to the DB Console, via the cluster-ui package. The v1 Insights page only includes a Transactions Insights overview page, populated with information served a new "endpoint" built on top of the SQL-over-HTTP API. Note this PR is dependent on the changes in cockroachdb#84617 and xinhaoz/cockroach@c069738.. Release note (ui change): Added new Insights page to DB Console
This commit adds the v1 Insights page to the DB Console, via the cluster-ui package. The v1 Insights page only includes a Transactions Insights overview page, populated with information served a new "endpoint" built on top of the SQL-over-HTTP API. Note this PR is dependent on the changes in cockroachdb#84617 and xinhaoz/cockroach@c069738.. Release note (ui change): Added new Insights page to DB Console
This commit adds the v1 Insights page to the DB Console, via the cluster-ui package. The v1 Insights page only includes a Transactions Insights overview page, populated with information served a new "endpoint" built on top of the SQL-over-HTTP API. Note this PR is dependent on the changes in cockroachdb#84617 and xinhaoz/cockroach@c069738.. Release note (ui change): Added new Insights page to DB Console
This commit adds the v1 Insights page to the DB Console, via the cluster-ui package. The v1 Insights page only includes a Transactions Insights overview page, populated with information served a new "endpoint" built on top of the SQL-over-HTTP API. Note this PR is dependent on the changes in cockroachdb#84617 and xinhaoz/cockroach@c069738.. Release note (ui change): Added new Insights page to DB Console
dhartunian
force-pushed
the
api-v2-accepts-cookies
branch
from
713ebb2 to
264ac95
Compare
There was a problem hiding this comment.
I've decided that this PR is not the forum to modify the auth session header name and, am conservatively keeping the one custom header we have for now.
In the case of cookie-based auth, the session header will require a specific value of "cookie" in order to read the session from the cookie.
Reviewable status:
dhartunian
force-pushed
the
api-v2-accepts-cookies
branch
from
264ac95 to
8bf2a58
Compare
|
@knz PTAL |
There was a problem hiding this comment.
Reviewed 3 of 3 files at r2, all commit messages.
Reviewable status:
pkg/server/api_v2_auth.go line 290 at r2 (raw file):
// session can be looked up either from a session cookie as used in the // non-v2 API server, or via the session header. In order for us to pick // up a session, the header must still be non-empty in the case of
nit: update comment to mention 'cookie' keyword.
pkg/server/api_v2_auth.go line 322 at r2 (raw file):
for i := range possibleSessions { decoded, err = base64.StdEncoding.DecodeString(possibleSessions[i]) if err != nil {
here and below. log.Warningf for the error.
pkg/server/api_v2_auth.go line 329 at r2 (raw file):
continue } // We've successfully decoded a session from cookie or header
nit: period at end of sentnece.
In order to make use of HTTP endpoints under `/api/v2` in the DB Console it is necessary to support cookie-based authentication for ergonomic Javascript use. Previously, header-based auth was not possible to use in the DB Console because the login endpoint we use returns the session in a Cookie. Moving this cookie into a header would require us to read into a less-secure storage method (local storage, redux, etc.) instead of keeping it secure in the browser's cookie storage. We implement a suggestion to rely on Cookie auth by requiring the presence of the auth header with a magic value of `"cookie"` that tells the server to look for the session in the session cookie. This forces the caller to modify the request via JS, which protects us from CSRF since cross-origin requests can only be "simple". See the issue for further discussion. Resolves cockroachdb#84311 Release note (security update): The HTTP endpoints under the `/api/v2` prefix will now accept cookie-based authentication similar to other HTTP endpoints used by the DB Console. The encoded session *must* be in a cookie named `"session"`, and the `"X-Cockroach-API-Session"` header is required to be set to `"cookie"` for the session to be read from the cookie header. A cookie provided without the custom header present will be ignored.
dhartunian
force-pushed
the
api-v2-accepts-cookies
branch
from
8bf2a58 to
b5bad38
Compare
There was a problem hiding this comment.
Reviewable status:
pkg/server/api_v2_auth.go line 290 at r2 (raw file):
Previously, knz (kena) wrote…
nit: update comment to mention 'cookie' keyword.
Done.
pkg/server/api_v2_auth.go line 322 at r2 (raw file):
Previously, knz (kena) wrote…
here and below.
log.Warningffor the error.
Done.
pkg/server/api_v2_auth.go line 329 at r2 (raw file):
Previously, knz (kena) wrote…
nit: period at end of sentnece.
Done.
|
TFTRs bors r=knz,kpatron-cockroachlabs,xinhaoz |
|
Build failed (retrying...): |
|
Build failed (retrying...): |
|
Build succeeded: |
|
Encountered an error creating backports. Some common things that can go wrong:
You might need to create your backport manually using the backport tool. error creating merge commit from b5bad38 to blathers/backport-release-22.1-84617: POST https://api.github.com/repos/cockroachdb/cockroach/merges: 409 Merge conflict [] you may need to manually resolve merge conflicts with the backport tool. Backport to branch 22.1.x failed. See errors above. 🦉 Hoot! I am a Blathers, a bot for CockroachDB. My owner is otan. |
84612: ui: add insights overview page v1 r=maryliag a=ericharmeling This commit adds the v1 Insights page to the DB Console, via the cluster-ui package. The v1 Insights page only includes a Transactions Insights overview page, populated with information served a new "endpoint" built on top of the SQL-over-HTTP API. Note this PR is dependent on the changes in #84617 and #85080. After #84998 is merged with all the needed columns, we can rewrite the insights API to query the internal insights table. Fixes #83774. Release note (ui change): Added new Insights page to DB Console 85757: backupccl,importer: remove `at_current_time` cluster settings r=adityamaru a=erikgrinaker Release note (ops change): The cluster settings `bulkio.restore_at_current_time.enabled` and `bulkio.import_at_current_time.enabled`, which were introduced in 22.1 and defaulted to `true`, have been retired. They are now in effect always enabled. Co-authored-by: Eric Harmeling <[email protected]> Co-authored-by: Erik Grinaker <[email protected]>
This commit adds the v1 Insights page to the DB Console, via the cluster-ui package. The v1 Insights page only includes a Transactions Insights overview page, populated with information served a new "endpoint" built on top of the SQL-over-HTTP API. Note this PR is dependent on the changes in cockroachdb#84617 and xinhaoz/cockroach@c069738.. Release note (ui change): Added new Insights page to DB Console
In order to make use of HTTP endpoints under
/api/v2in the DB Consoleit is necessary to support cookie-based authentication for ergonomic
Javascript use.
Previously, header-based auth was not possible to use in the DB Console
because the login endpoint we use returns the session in a Cookie.
Moving this cookie into a header would require us to read into a
less-secure storage method (local storage, redux, etc.) instead of
keeping it secure in the browser's cookie storage.
We implement a suggestion to rely on Cookie auth by requiring the
presence of the auth header with a magic value of
"cookie"that tells theserver to look for the session in the session cookie. This forces the caller
to modify the request via JS, which protects us from CSRF since
cross-origin requests can only be "simple". See the issue for further
discussion.
Resolves #84311
Release note (security update): The HTTP endpoints under the
/api/v2prefixwill now accept cookie-based authentication similar to other HTTP endpoints
used by the DB Console. The encoded session must be in a cookie named
"session", and the"X-Cockroach-API-Session"header is required to be setto
"cookie"for the session to be read from the cookie header. A cookieprovided without the custom header present will be ignored.