fix

Author: easyCZ

components/server/src/auth/jwt.ts

@@ -7,6 +7,7 @@
 import * as jsonwebtoken from "jsonwebtoken";
 import { Config } from "../config";
 import { inject, injectable } from "inversify";
+import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 
 const algorithm: jsonwebtoken.Algorithm = "RS512";
 
@@ -33,9 +34,18 @@ export class AuthJWT {
     }
 
     async verify(encoded: string): Promise<object> {
+        // When we verify an encoded token, we verify it using all available public keys
+        // That is, we check the following:
+        //  * The current signing public key
+        //  * All other validating public keys, in order
+        //
+        // We do this to allow for key-rotation. But tokens already issued would fail to validate
+        // if the signing key was changed. To accept older sessions, which are still valid
+        // we need to check for older keys also.
+        const validatingPublicKeys = this.config.auth.pki.validating.map((keypair) => keypair.publicKey);
         const publicKeys = [
             this.config.auth.pki.signing.publicKey, // signing key is checked first
-            ...this.config.auth.pki.validating.map((keypair) => keypair.publicKey),
+            ...validatingPublicKeys,
         ];
 
         let lastErr;
@@ -46,10 +56,14 @@ export class AuthJWT {
                 });
                 return decoded;
             } catch (err) {
+                log.debug(`Failed to verify JWT token using public key.`, err);
                 lastErr = err;
             }
         }
 
+        log.error(`Failed to verify JWT using any available public key.`, lastErr, {
+            publicKeyCount: publicKeys.length,
+        });
         throw lastErr;
     }
 }
@@ -68,22 +82,3 @@ async function verify(
         });
     });
 }
-
-export async function newSessionJWT(userID: string): Promise<string> {
-    const payload = {
-        // subject
-        sub: userID,
-        // issuer
-        iss: "gitpod.io",
-    };
-    const temporaryTestKeyForExperimentation = "my-secret";
-
-    return new Promise((resolve, reject) => {
-        jsonwebtoken.sign(payload, temporaryTestKeyForExperimentation, { algorithm: "HS256" }, function (err, token) {
-            if (err || !token) {
-                return reject(err);
-            }
-            return resolve(token);
-        });
-    });
-}

components/server/src/auth/login-completion-handler.ts

@@ -13,12 +13,14 @@ import { AuthFlow } from "./auth-provider";
 import { HostContextProvider } from "./host-context-provider";
 import { AuthProviderService } from "./auth-provider-service";
 import { TosFlow } from "../terms/tos-flow";
-import { increaseLoginCounter } from "../prometheus-metrics";
+import { increaseLoginCounter, reportJWTCookieIssued } from "../prometheus-metrics";
 import { IAnalyticsWriter } from "@gitpod/gitpod-protocol/lib/analytics";
 import { trackLogin } from "../analytics";
 import { UserService } from "../user/user-service";
 import { SubscriptionService } from "@gitpod/gitpod-payment-endpoint/lib/accounting";
-import * as jwt from "jsonwebtoken";
+import { getExperimentsClientForBackend } from "@gitpod/gitpod-protocol/lib/experiments/configcat-server";
+import { SessionHandlerProvider } from "../session-handler";
+import { AuthJWT } from "./jwt";
 
 /**
  * The login completion handler pulls the strings between the OAuth2 flow, the ToS flow, and the session management.
@@ -31,6 +33,7 @@ export class LoginCompletionHandler {
     @inject(AuthProviderService) protected readonly authProviderService: AuthProviderService;
     @inject(UserService) protected readonly userService: UserService;
     @inject(SubscriptionService) protected readonly subscriptionService: SubscriptionService;
+    @inject(AuthJWT) protected readonly authJWT: AuthJWT;
 
     async complete(
         request: express.Request,
@@ -94,14 +97,25 @@ export class LoginCompletionHandler {
             );
         }
 
-        const jwt = await newSessionJWT(user.id);
+        const isJWTCookieExperimentEnabled = await getExperimentsClientForBackend().getValueAsync(
+            "jwtSessionCookieEnabled",
+            false,
+            {
+                user: user,
+            },
+        );
+        if (isJWTCookieExperimentEnabled) {
+            const token = await this.authJWT.sign(user.id, {});
+
+            response.cookie(SessionHandlerProvider.getJWTCookieName(this.config.hostUrl), token, {
+                maxAge: 7 * 24 * 60 * 60, // 7 days
+                httpOnly: true,
+                sameSite: "lax",
+                secure: true,
+            });
 
-        response.cookie("_gitpod_jwt_", jwt, {
-            maxAge: 7 * 24 * 60 * 60,
-            httpOnly: true,
-            sameSite: "lax",
-            secure: true,
-        });
+            reportJWTCookieIssued();
+        }
 
         response.redirect(returnTo);
     }
@@ -129,22 +143,3 @@ export namespace LoginCompletionHandler {
         elevateScopes?: string[];
     }
 }
-
-export async function newSessionJWT(userID: string): Promise<string> {
-    const payload = {
-        // subject
-        sub: userID,
-        // issuer
-        iss: "gitpod.io",
-    };
-    const temporaryTestKeyForExperimentation = "my-secret";
-
-    return new Promise((resolve, reject) => {
-        jwt.sign(payload, temporaryTestKeyForExperimentation, { algorithm: "HS256" }, function (err, token) {
-            if (err || !token) {
-                return reject(err);
-            }
-            return resolve(token);
-        });
-    });
-}

components/server/src/container-module.ts

@@ -117,6 +117,7 @@ import { APIUserService } from "./api/user";
 import { APITeamsService } from "./api/teams";
 import { API } from "./api/server";
 import { LinkedInService } from "./linkedin-service";
+import { AuthJWT } from "./auth/jwt";
 
 export const productionContainerModule = new ContainerModule((bind, unbind, isBound, rebind) => {
     bind(Config).toConstantValue(ConfigFile.fromFile());
@@ -324,4 +325,6 @@ export const productionContainerModule = new ContainerModule((bind, unbind, isBo
     bind(APIUserService).toSelf().inSingletonScope();
     bind(APITeamsService).toSelf().inSingletonScope();
     bind(API).toSelf().inSingletonScope();
+
+    bind(AuthJWT).toSelf().inSingletonScope();
 });

components/server/src/prometheus-metrics.ts

@@ -25,6 +25,7 @@ export function registerServerMetrics(registry: prometheusClient.Registry) {
     registry.registerMetric(centralizedPermissionsValidationsTotal);
     registry.registerMetric(spicedbClientLatency);
     registry.registerMetric(dashboardErrorBoundary);
+    registry.registerMetric(jwtCookieIssued);
 }
 
 const loginCounter = new prometheusClient.Counter({
@@ -57,6 +58,15 @@ export function increaseApiConnectionCounter() {
     apiConnectionCounter.inc();
 }
 
+const jwtCookieIssued = new prometheusClient.Counter({
+    name: "gitpod_server_jwt_cookie_issued_total",
+    help: "Total number of JWT cookies issued for login sessions",
+});
+
+export function reportJWTCookieIssued() {
+    jwtCookieIssued.inc();
+}
+
 const apiConnectionClosedCounter = new prometheusClient.Counter({
     name: "gitpod_server_api_connections_closed_total",
     help: "Total amount of closed API connections",

components/server/src/session-handler.ts

@@ -15,6 +15,7 @@ const MySQLStore = mysqlstore(session);
 import { log } from "@gitpod/gitpod-protocol/lib/util/logging";
 import { Config as DBConfig } from "@gitpod/gitpod-db/lib/config";
 import { Config } from "./config";
+import { GitpodHostUrl } from "@gitpod/gitpod-protocol/lib/util/gitpod-host-url";
 
 @injectable()
 export class SessionHandlerProvider {
@@ -72,6 +73,14 @@ export class SessionHandlerProvider {
             .replace(/[\W_]+/g, "_");
     }
 
+    static getJWTCookieName(hostURL: GitpodHostUrl) {
+        const derived = hostURL
+            .toString()
+            .replace(/https?/, "")
+            .replace(/[\W_]+/g, "_");
+        return `${derived}jwt_`;
+    }
+
     public clearSessionCookie(res: express.Response, config: Config): void {
         // http://expressjs.com/en/api.html#res.clearCookie
         const name = SessionHandlerProvider.getCookieName(config);