9063 - add session API auth mechanism with feature flag

[GPortas]

What this PR does / why we need it:

As stated in #9063, for the development of the new Dataverse Single Page Application (SPA), the SPA needs to be able to authenticate against Dataverse Native API.

The final authentication mechanism for the SPA is yet to be developed. Meanwhile, only for development purposes, this mechanism allows to authenticate given a session (Defined by JSESSIONID cookie). Due to the CSRF risks of using the JSESSIONID cookie for API authentication, this functionality should not be enabled for production purposes.

In order to keep this functionality disabled by default and following the docs, a new JVMSetting has been created, with a boolean value of 'false' by default.

Being aware of @poikilotherm's work in progress of #9230, where he developed a generic mechanism for feature flags, the naming of the JVMSetting created in this PR follows the same structure he uses in his PR, considering a later refactor that will include this JVMSetting into the generic mechanism.

Edit (01/17): After discussion with @pdurbin and @poikilotherm, we have decided to include the generic mechanism for feature flags that Oliver has worked on and its associated documentation in this PR.

Edit (01/18): New issue created for the new generic mechanism for feature flags, #9297.

TODOs.

• Add feature flag for session API auth
• Add generic feature flag mechanism
• Add documentation for feature flag for session API auth

Which issue(s) this PR closes:

• Closes New API auth mechanism for SPA frontend requests to APIs (developers only for now) #9063
• Closes Create feature flags based on JVM settings to enable/disable experimental features #9297

Special notes for your reviewer:

I have considered to add test coverage to the AbstractApiBean changes, but I find it difficult to test the changes in isolation. The future refactor towards a filter-based module should make this easier.

Suggestions on how to test this:

Follow the next steps:

1. Enable the JVMSetting in microprofile-config.properties file: dataverse.feature.api-session-auth=true
2. Build and deploy Dataverse locally.
3. Navigate to Dataverse Login Page.
4. Without logging in, obtain the current JSESSIONID cookie value from the browser (it corresponds to a Guest User).
5. Using the obtained cookie value, perform a curl command against a secured Dataverse Native API endpoint. For example: curl --cookie "JSESSIONID=<cookie_value>" -X GET http://localhost:8080/api/datasets/2
6. A message indicating that the guest user is not authorized should appear.
7. Again on the Dataverse Login Page, log in with valid user credentials. The JSESSIONID cookie value should be updated.
8. Repeat the same curl test but with the new cookie value.
9. The requested data should be successfully retrieved.

An additional test is to repeat the above steps but keeping dataverse.feature.api-session-auth=false. Whether logged in or not, requests must fail by recognizing a guest user (Default Dataverse behavior).

Does this PR introduce a user interface change? If mockups are available, please link/include them here:

No

Is there a release notes update needed for this change?:

Not sure

Additional documentation:

No

[poikilotherm]

Related to #9299, as using a feature flag.

[mreekie]

This feature makes is possible to for a user to access our entire API with the UI cookies.

This is the addition of a mechanism to help speed up SPA mechanism.
For devel purposes.
This coincides with work Oliver is working on in 9299 to setup a place to put these experimental dev only settings.

Merge this first, then refactor after oliver PR.
Set this aside, and get 9299 through first, followed by this one.

The consensus is to have this come AFTER #9299

Size: 3

[pdurbin]

@GPortas feature flags has been merged:

• 9297 feature flags #9299

[coveralls]

Coverage: 20.153% (+0.004%) from 20.149% when pulling 9764188 on GPortas:9063-session-api-auth into 47f0b0e on IQSS:develop.

[pdurbin]

The failing test is just this:

• Intermittent error from the new Harvesting Clients test  #9240

[pdurbin]

Enable the JVMSetting in microprofile-config.properties file: dataverse.feature.api-session-auth=true

The above works but I don't want to have to edit src/main/resources/META-INF/microprofile-config.properties and then rebuild the image with mvn -Pct clean package.

Instead I want to set an environment variable like this...

export DATAVERSE_FEATURE_API_SESSION_AUTH=1

... and then just start the image (without rebuilding it).

This seemed to work for me last time with an uncommitted feature flag (export DATAVERSE_FEATURE_UPLOAD_METHODS=1) I played around with: #9299 (comment)

I'm not sure why it isn't working now. Underscores vs. hyphens? I'm really not sure. I'll poke at the code some more but @poikilotherm (who added feature flags) might know.

(Unrelated, I also have a few doc changes queued up.)

[pdurbin]

Changing from hyphens to underscores didn't help...

-    API_SESSION_AUTH("api-session-auth"),
+    API_SESSION_AUTH("api_session_auth"),

... I checked and...

export DATAVERSE_FEATURE_API_SESSION_AUTH=1

... still didn't work.

[pdurbin]

In 5eb13b0 I went ahead and pushed some doc changes (feel free to edit or revert).

[poikilotherm]

@pdurbin the docs you want to look at are these: https://docs.docker.com/compose/environment-variables/set-environment-variables

Docker Compose will not just pickup any (random) env var from your shell without you telling it where it shall go. Plenty of options to go for, depending on your favorite. Enjoy 😄

[poikilotherm]

Changing from hyphens to underscores didn't help...

-    API_SESSION_AUTH("api-session-auth"),
+    API_SESSION_AUTH("api_session_auth"),

... I checked and...

export DATAVERSE_FEATURE_API_SESSION_AUTH=1

... still didn't work.

No no no, you are mixing things up here! The definition is with dashes, MPCONFIG spec says "go look for env vars and start replacing special chars with dashes". You need to be aware that you must transfer the env var into the container, it's not enough to have it in your shell (exported or not). (See also my comment above with a docs link how to do the transfer.)

[pdurbin]

@poikilotherm thank you, yes, I had found that doc before I left the office.

Any change I make locally to a file I don't want to show up in git diff so I'm thinking I'll try this next...

• cp .env .env.pem (.pem is in our .gitignore)
• vi .env.pem adding DATAVERSE_FEATURE_API_SESSION_AUTH=1
• docker-compose --env-file .env.pem -f docker-compose-dev.yml up
• if this works, add it to the docs somewhere

[pdurbin]

Ok, the idea above worked but not with the .env file. Instead I did this (again .pem because it's in .gitignore so I don't have to worry about accidentally committing docker-compose-dev.yml.pem):

cp docker-compose-dev.yml docker-compose-dev.yml.pem
echo "DATAVERSE_FEATURE_API_SESSION_AUTH=1" >> docker-compose-dev.yml.pem
docker-compose -f docker-compose-dev.yml.pem up

I guess this is fine. I didn't have to rebuild the image. I still need to add some docs though.

[pdurbin]

I added some additional docs in 9764188. This is ready for QA.

[pdurbin]

Works great! Thanks, @GPortas!! 🎉

[pdurbin]

@kcondon as always, I'm happy to chat about what I did. As a quick tip, here's where I found the cookie in Firefox: