Closed rudokemper closed 9 months ago
@IamJeffG to discuss Monday.
to bypass logging in, I have added an option to pass a secret key query parameter via the browser path. This is handled by a /login/ GET endpoint that will generate a JWT if the query parameter matches the SECRET_JWT_KEY env var, and reload the page to be redirect to /map upon success.
This is NOT a safe method insofar as it can leave the secret key exposed
Is this JWT value hard-coded in the Superset dashboard?
Yeah, eventually we will need to figure out how to have the Superset dash pass some JWT that it somehow retrieves (or computes) just-in-time:
And Views will need to check the JWT expiry date (maybe it already does this) before trusting it. One potential threat avenue of how it is today is that someone has the never-expiring JWT, but we no longer trust that person. We have no way to cut off their access.
Setting the JWT to expire is actually a one-line change, and Views auth does check this, so that shouldn't be a problem.
But yes, the token being matched to generate a JWT is hard coded in the iframe URL so that remains a security risk, albeit that one has to actually log into Superset to access it so there is at least that much of a protection layer. But agreed we should still find a better way to have Superset handle this.
I'm imagining some kind of mechanism that generates a new token on a regular interval and passes that to both Superset and Views (and on the future, other apps), which are then adapted to know what to do with it. Not sure whether that's a Superset plugin, or something exterior to both apps.
EDIT: As I wrote that on my phone, I realize I didn't see your proposed workflow as it looked like quoted text on my device! It makes a lot of sense to me, but indeed some pieces to still figure out, also in relation to how other apps might handle this.
I still need to do more research on auth0 too. There could be some scaffolding for a solution there.
Interestingly, Superset itself has an embedded SDK which can be used to embed Superset dashboards via iframe using the host application's authentication.
Merging this to stack on successive PR(s) that will aim to build in auth0 support as a solution for our embedding ambitions.
This PR adds authentication, a Login component, JWTs, and a path parameter to bypass logging in.
Specifically:
@nuxtjs/auth-next
has been added to handle authentication across the application. This library can sync with any OAuth service so we can use it for more sophisticated authentication in the future. However, for the time being, this is using a singular password (via env varPASSWORD
).Login.vue
via a /login/ POST endpoint.Login.vue
will generate a JWT for authentication across the app, and redirect to/map
. The JWT is currently not set to expire.SECRET_JWT_KEY
env var, and reload the page to be redirect to/map
upon success.