Skip to content

[server] Set JWT cookie on sign-in WEB-100 #17200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Apr 17, 2023
Merged

[server] Set JWT cookie on sign-in WEB-100 #17200

merged 11 commits into from
Apr 17, 2023

Conversation

easyCZ
Copy link
Member

@easyCZ easyCZ commented Apr 13, 2023
edited
Loading

Description

On succesful sign-in, a JWT cookie is generated and stored in the client session.

Feature is behind a feature flag.

Related Issue(s)

How to test

  1. Preview
  2. Sign-in
  3. Observe there's a new cookie assigned with _jwt_ suffix

Release Notes

NONE

Documentation

Build Options:

  • /werft with-werft
    Run the build with werft instead of GHA
  • leeway-no-cache
  • /werft no-test
    Run Leeway with --dont-test
Publish Options
  • /werft publish-to-npm
  • /werft publish-to-jb-marketplace
Installer Options
  • with-dedicated-emulation
  • with-ws-manager-mk2
  • workspace-feature-flags
    Add desired feature flags to the end of the line above, space separated

Preview Environment Options:

  • /werft with-local-preview
    If enabled this will build install/preview
  • /werft with-preview
  • /werft with-large-vm
  • /werft with-gce-vm
    If enabled this will create the environment on GCE infra
  • with-integration-tests=all
    Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

/hold

@werft-gitpod-dev-com
Copy link

started the job as gitpod-build-mp-server-jwt-session-2.1 because the annotations in the pull request description changed
(with .werft/ from main)

@easyCZ easyCZ force-pushed the mp/server-jwt-session-2 branch from d87a326 to 45b858d Compare April 13, 2023 12:43
@easyCZ easyCZ changed the base branch from main to mp/server-create-jwt-pki April 13, 2023 12:44
@easyCZ easyCZ changed the title [server] Set JWT cookie on sign-in [server] Set JWT cookie on sign-in WEB-100 Apr 13, 2023
@roboquat roboquat added size/XL and removed size/L labels Apr 13, 2023
Base automatically changed from mp/server-create-jwt-pki to main April 14, 2023 08:19
@easyCZ easyCZ force-pushed the mp/server-jwt-session-2 branch 2 times, most recently from 4354107 to cb1bd27 Compare April 14, 2023 08:30
@easyCZ easyCZ changed the base branch from main to mp/server-load-auth-pki April 14, 2023 08:32
@roboquat roboquat added size/L and removed size/XL labels Apr 14, 2023
@easyCZ easyCZ marked this pull request as ready for review April 14, 2023 08:32
@easyCZ easyCZ requested a review from a team April 14, 2023 08:32
@github-actions github-actions bot added the team: webapp Issue belongs to the WebApp team label Apr 14, 2023
@easyCZ easyCZ mentioned this pull request Apr 14, 2023
Merged
13 tasks
Base automatically changed from mp/server-load-auth-pki to main April 14, 2023 11:54
@roboquat roboquat added size/XL and removed size/L labels Apr 14, 2023
@easyCZ easyCZ force-pushed the mp/server-jwt-session-2 branch from dcebc39 to 6f8ae73 Compare April 16, 2023 08:45
@roboquat roboquat added size/L and removed size/XL labels Apr 16, 2023
@easyCZ easyCZ mentioned this pull request Apr 17, 2023
Merged
13 tasks
AlexTugarev
AlexTugarev reviewed Apr 17, 2023
View reviewed changes
Copy link
Member

@AlexTugarev AlexTugarev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM so far. Just two remarks:

  1. SameSite setting of the cookie
  2. Issuer to be URI, not just hostname

components/server/src/auth/login-completion-handler.ts
response.cookie(SessionHandlerProvider.getJWTCookieName(this.config.hostUrl), token, {
maxAge: this.config.session.maxAgeMs,
httpOnly: true,
sameSite: "lax",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's use strict cookies, please.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This matches the current cookie setting which we issue for session cookie. (it actually also marks the cookie as "secure" which we don't do currently)

Do you know the exact implications of changing this to strict?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A strict cookie means, that if the browser (already received the cookie) is redirected to a 3rd party, and then back to Gitpod, the cookie will not be sent. This is a typical scenario for redirect-based flows, where the 3rd party knows some sort of "returnTo" URL to redirect back, e.g. after asking user for consent.

Hmm, now having that said, it sounds like we'd break Git Integrations with that. There are (at least) two solutions available:

  1. using a state param and a nonce cookie for redirect-based flows, similar to what's now done for OIDC SSO. There we no longer rely on a session.
  2. use a trick to relax the cookie for the time of a web-flow cycle: Make Gitpod cookie "stricter" #16406

That's getting to complicating here, I guess.

So, not raising the bar here seems ok, but keep in mind that we need to make it strict eventually to improve the security posture.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

AlexTugarev

This comment was marked as duplicate.

Sign in to view

AlexTugarev
AlexTugarev approved these changes Apr 17, 2023
View reviewed changes
Copy link
Member

@AlexTugarev AlexTugarev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@easyCZ
Copy link
Member Author

easyCZ commented Apr 17, 2023

/unhold

@roboquat roboquat merged commit 495ed8e into main Apr 17, 2023
@roboquat roboquat deleted the mp/server-jwt-session-2 branch April 17, 2023 10:35
@roboquat roboquat added deployed: webapp Meta team change is running in production deployed Change is completely running in production labels Apr 17, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexTugarev AlexTugarev AlexTugarev approved these changes

Assignees
No one assigned
Labels
deployed: webapp Meta team change is running in production deployed Change is completely running in production release-note-none size/L team: webapp Issue belongs to the WebApp team
Projects
🍎 WebApp Team
Status: In Validation
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@easyCZ @AlexTugarev @roboquat