[local-app] gracefully handle invalid token

[akosyakov]

What it does

• fix local-app is crashing with old token #5368 by allowing the local app to validate the current token scopes against expected scopes. And if they don't match then invalidate the token and run auth flow again.

I had to move bearer auth into verify callback to return a proper error code during web socket handshake, instead of failing after web socket is established. It allows clients to analyse the bad hahdshake request for unauthorised access.

How to test

• Start a workspace: https://akosyakov-local-app-is-crashing-5368.staging.gitpod-dev.com/#github.com/akosyakov/parcel-demo
• Start the local app:

# mac
curl -OL https://akosyakov-local-app-is-crashing-5368.staging.gitpod-dev.com/static/bin/gitpod-local-companion-darwin
chmod +x ./gitpod-local-companion-darwin
GITPOD_HOST=https://akosyakov-local-app-is-crashing-5368.staging.gitpod-dev.com ./gitpod-local-companion-darwin --log-level=debug

# linux
# curl -OL https://akosyakov-local-app-is-crashing-5368.staging.gitpod-dev.com/static/bin/gitpod-local-companion-linux
chmod +x ./gitpod-local-companion-linux
GITPOD_HOST=https://akosyakov-local-app-is-crashing-5368.staging.gitpod-dev.com ./gitpod-local-companion-linux --log-level=debug

# windows
# curl -OL https://akosyakov-local-app-is-crashing-5368.staging.gitpod-dev.com/static/bin/gitpod-local-companion-windows.exe
GITPOD_HOST=https://akosyakov-local-app-is-crashing-5368.staging.gitpod-dev.com ./gitpod-local-companion-windows.exe --log-level=debug

• check that you went through the auth flow and output looks fine
• restart the app, checks that you don't need to go through the auth flow this time
• go and corrupt the token for https://akosyakov-local-app-is-crashing-5368.staging.gitpod-dev.com in keychain access
• restart the app, you should see the error that token is invalid and go through the auth flow again
• now corrupt tokens in the DB: update d_b_gitpod_token set scopes = "";
• restart the app, you should see the error that token is invalid and go through the auth flow again

[codecov]

Codecov Report

Merging #5369 (018e57f) into main (0e270bc) will decrease coverage by 44.37%.
The diff coverage is 66.66%.

@@             Coverage Diff             @@
##             main    #5369       +/-   ##
===========================================
- Coverage   79.52%   35.15%   -44.38%     
===========================================
  Files           2       23       +21     
  Lines         127     5063     +4936     
===========================================
+ Hits          101     1780     +1679     
- Misses         17     3135     +3118     
- Partials        9      148      +139     

Flag	Coverage Δ
components-ee-agent-smith-app	25.82% <ø> (?)
components-licensor-lib	?
components-local-app-app-darwin	∅ <ø> (∅)
components-local-app-app-linux	19.39% <66.66%> (∅)
components-local-app-app-windows	∅ <ø> (∅)
components-supervisor-app	37.58% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
components/local-app/pkg/auth/auth.go	16.54% <66.66%> (ø)
components/licensor/ee/pkg/licensor/keys.go
components/licensor/ee/pkg/licensor/licensor.go
components/supervisor/pkg/supervisor/config.go	4.51% <0.00%> (ø)
components/supervisor/pkg/ports/exposed-ports.go	0.00% <0.00%> (ø)
components/supervisor/pkg/ports/ports-config.go	79.85% <0.00%> (ø)
components/ee/agent-smith/pkg/agent/actions.go	0.00% <0.00%> (ø)
components/supervisor/pkg/ports/tunnel.go	63.63% <0.00%> (ø)
components/ee/agent-smith/pkg/agent/egress.go	0.00% <0.00%> (ø)
components/supervisor/pkg/ports/served-ports.go	76.00% <0.00%> (ø)
... and 16 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0e270bc...018e57f. Read the comment docs.

[akosyakov]

@csweichel Could you check it again? I rewrote getGitpodTokenScopes to accept the token hash.

[akosyakov]

/werft run

👍 started the job as gitpod-build-akosyakov-local-app-is-crashing-5368.14

[csweichel]

Other than a couple of questions and a nit this looks good to me

[akosyakov]

@csweichel Could you have a look again please? All comments should be addressed.

[csweichel]

/lgtm

[roboquat]

LGTM label has been added.

Git tree hash: 99039cd043fb7f4830c96d1bb45e23c2fa7d53eb

[roboquat]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csweichel

Associated issue: #5368

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• components/gitpod-db/OWNERS [csweichel]
• components/gitpod-protocol/OWNERS [csweichel]
• components/local-app/OWNERS [csweichel]
• components/server/OWNERS [csweichel]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment