Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UI needs to support auth tokens #91

Closed
jessesuen opened this issue Apr 17, 2018 · 4 comments
Closed

UI needs to support auth tokens #91

jessesuen opened this issue Apr 17, 2018 · 4 comments
Milestone
0.3.0

Comments

@jessesuen
Copy link
Member

jessesuen commented Apr 17, 2018
edited by merenbach

Taking the liberty of filling this in. We have a few options:

  1. Set and parse cookies server-side. These cookies could contain the JWT required by Argo CD. This has the advantage of being secure and we can set the HttpOnly flag on them since the client-side JavaScript won't need to (and, indeed, cannot) interact with them. A tradeoff is that logout require server-side action to delete the cookie.

  2. Generate tokens server-side (as above), but send them to the client. This is the current implementation for token generation. The client can use JavaScript to create a cookie from the token, then look that cookie up before sending the token to the server. This is less secure since JavaScript can access the cookie (i.e., no HttpOnly flag), but JavaScript can be used for the logout process. To ensure safe access and encryption, probably best to use a secure cookie and avoid HTML5 local storage.

As a side note, a best practice is for all cookies to be secure cookies, at least in production.

For the first option, the frontend integrates by having an API endpoint for login (already done!) that needs to set a cookie in the response (not yet done), rather than returning the token. Logout requires a second endpoint to delete the cookie.

For the second option, I believe that everything is in place for implementation right now.

@alexmt, interested in your thoughts.
@jessesuen jessesuen added this to the 0.3.0 milestone Apr 17, 2018
@jessesuen
Copy link
Member Author

I am in favor of setting cookies from the server, but this is just what I am used to. I think relying on client-side logic makes it inflexible for other types of HTTP clients/tooling such as Postman.

@merenbach merenbach self-assigned this Apr 18, 2018
@merenbach
Copy link
Contributor

merenbach commented Apr 18, 2018
edited

Server-side cookie support will be added with #96.

@merenbach merenbach mentioned this issue Apr 19, 2018
Closed
@merenbach
Copy link
Contributor

merenbach commented Apr 19, 2018
edited

Server-side cookie support is now present. @alexmt to support client-side:

Login

Issue an HTTP POST to /api/v1/session with a JSON payload as follows:

{
    "username": "USERNAME_GOES_HERE",
    "password": "PASSWORD_GOES_HERE"
}

The JSON response will look like:

{"token": "TOKEN_GOES_HERE"}

Please feel free to ignore this response entirely, as the HTTP response also sets a cookie, which should automatically grant access. It is possible that this cookie will "just work" for future requests (suggest trying that way first unless you know otherwise). It may also be that your XHR/AJAX framework may need to maintain (and pass for future requests) a shared cookie context.

Logout

Issue an HTTP DELETE request to /api/v1/session with no JSON payload. The response will be an empty JSON object ({}), which can be completely ignored.

@merenbach merenbach removed their assignment Apr 19, 2018
@alexmt
Copy link
Collaborator

alexmt commented Apr 19, 2018

Thank you @merenbach ! UI changes had been implemented.

@alexmt alexmt closed this as completed Apr 19, 2018
alexec pushed a commit that referenced this issue Apr 24, 2019
@alexmt
Issue #1101 - Add menu to resource list table (#91)
f09e213
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
0.3.0
Development

No branches or pull requests
3 participants
@alexmt @merenbach @jessesuen