search

ClusterCockpit / cc-backend

Web frontend and API backend server for ClusterCockpit Monitoring Framework
https://www.clustercockpit.org
MIT License
14 stars 12 forks source link

Hotfix #178

Closed moebiusband73 closed 12 months ago

moebiusband73 commented 1 year ago

Refactor and document authentication module. Querstion: Is it on purpose that the authentication is not stopped if an authenticator is successful?

moebiusband73 commented 1 year ago

Also the fact that the Cookie based login takes place in Auth and not Login is not optimal. How does the Header JWT login initiates a session?

spacehamster87 commented 1 year ago

@ 1) Is the authenticator loop not stopped via ServeHTTP + return as soon as one authenticator succeeds? See

log.Infof("login successfull: user: %#v (roles: %v, projects: %v)", user.Username, user.Roles, user.Projects)
ctx := context.WithValue(r.Context(), ContextUserKey, user)
onsuccess.ServeHTTP(rw, r.WithContext(ctx))
return

@ 2) Indeed we should move the cookie login there as well. Still, we should also better check if there is any hidden reason for the current solution though.

@ 3) URL (Crosslogin) Token is set and then further used in Login() at jwt.go:118, if you mean that.