release-22.1: apiv2: accept cookie auth when header is non-empty #85553
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Backport 1/1 commits from #84617.
/cc @cockroachdb/release
In order to make use of HTTP endpoints under
/api/v2
in the DB Consoleit is necessary to support cookie-based authentication for ergonomic
Javascript use.
Previously, header-based auth was not possible to use in the DB Console
because the login endpoint we use returns the session in a Cookie.
Moving this cookie into a header would require us to read into a
less-secure storage method (local storage, redux, etc.) instead of
keeping it secure in the browser's cookie storage.
We implement a suggestion to rely on Cookie auth by requiring the
presence of the auth header with a magic value of
"cookie"
that tells theserver to look for the session in the session cookie. This forces the caller
to modify the request via JS, which protects us from CSRF since
cross-origin requests can only be "simple". See the issue for further
discussion.
Resolves #84311
Release note (security update): The HTTP endpoints under the
/api/v2
prefixwill now accept cookie-based authentication similar to other HTTP endpoints
used by the DB Console. The encoded session must be in a cookie named
"session"
, and the"X-Cockroach-API-Session"
header is required to be setto
"cookie"
for the session to be read from the cookie header. A cookieprovided without the custom header present will be ignored.
Release justification: additive improvement to the /api/v2 endpoints to allow for ease of use with UI code.