Unstable user authentication in website

[grayside]

This issue is non-standard, representing a meta bug of observed problems and churn related to user authentication in the website. In order to meet scheduled duedates, I'm going to see if I can help fix it.

• Goal: When this issue is fixed, it will mean #46 is resolved or mostly resolved.

Special Challenges

We are trying to use Cloud Identity Platform to tell a story of how customers can have broad SSO capability in their apps.

However, most of the technical information we need is in the Firebase Authentication documentation, using the Firebase Authentication library, and we are building a "backend website", which we perceive as being a secondary use case for the Firebase documentation. This has made it difficult to get a comprehensive understanding of what needs to happen.

Observed Problems

• Frequently exposing users to 403 errors from the API
• Login/Logout icons unclear and inconsistently functional

Gap Analysis

User Authentication Middleware

https://github.com/GoogleCloudPlatform/emblem/blob/b6db1a4c9a13609d14a7e2f97702a36d1985189b/website/middleware/auth.py#L23-L29

• The website does not validate Session Cookies
• Invalid Session Cookies are not purged
• Session Cookies are passed directly to the API. They are not in an appropriate OIDC format and the extended lifespan of a cookie is an inappropriate use for a token.
• Invalid tokens lead to the error page even when requesting resources that don't require a valid token

User Login Flow

https://github.com/GoogleCloudPlatform/emblem/blob/b6db1a4c9a13609d14a7e2f97702a36d1985189b/website/static/login.js#L35-L43

• No CSRF protection (#140)

Login User Interface

https://github.com/GoogleCloudPlatform/emblem/blob/b6db1a4c9a13609d14a7e2f97702a36d1985189b/website/templates/base.html#L67-L81

• Icons are confusing and do not seem to work consistently.

Troubleshooting

• When an API error is shown, it's difficult to confirm which API server & resource had a problem

  Sequences

Unauthenticated, Home Page, API Success

Browser -> Auth Middleware (Skip, No Token) -> API Request (List Campaigns -> API Success -> Log API Request -> Render Page

Unauthenticated, Home Page, API 5xx error

Browser -> Auth Middleware (Skip, No Token) -> API Request (List Campaigns) -> API Fail -> Log API Request -> Error Page

Future Note: We should enhance error handling to insert default text when it's a 5xx failure on read-only operations.

Authenticated, Home Page, Day 0, API Success

Browser -> Auth Middleware (Validate) -> Auth Middleware (Generate ID Token) -> API Request (List Campaigns) -> API Success -> Log API Request -> Render Page

Authenticated, Home Page, Day 20

Browser -> Auth Middleware (Validate) -> Auth Middleware (Expired Token Found) -> Redirect to Logout

Invalid Auth, Home Page

Browser -> Auth Middleware (Validate) -> Auth Middleware (Invalid Session) -> HTTP 401

Tasks

• [ ] Validate Session Cookies before use
• [ ] Invalidate Session Cookies should redirect user to logout
• [ ] Remove user profile icon and add text to login/logout icons
• [ ] Log API requests. (Required modifying generated code?)
• [ ] #148: Frontend uses API-specific credentials to communicate

Future Tasks

• 140: Design an approach for CSRF, perhaps based on Manage Cookies and Firebase Auth Node.js Quickstart (Python code does not demonstrate CSRF protection)

• 153: API can validate origin authority of API requests.

• Revise API Requests logged by the website to as severity DEBUG
• Use full revalidation on session cookies. Even though we do not have fraud preventing tools yet, we can manually revoke a user if we see something in the logs if we support this.
• On force logout, prompt the user to log back in again

[grayside]

After completing that analysis and starting to pursue the work, I found the amount of complexity in the implementation, the products, and the documentation seems untenable. Team is going to have some discussions on whether we're going to stick with Identity Platform, and try putting together a comprehensive approach for next steps.

[grayside]

This was fixed by switching to Google Identity/Google Sign-in. See #210, #212.