Fix authentication issues with code-server

msquee commented 4 years ago

Upgrade code-server to version v3.4.1 (https://github.com/cdr/code-server/releases/tag/v3.4.1)

Fix authentication issues, a cookie is now set before redirecting users to code-server
Upgrade bc_js_filepicker to 0.4.3 (https://github.com/OSC/bc_js_filepicker/releases/tag/0.4.3)

Known bugs:

Multiple code-server sessions running at once may cause the browser to not set cookies properly, refreshing the Interactive Sessions is the solution for now.

Todo:

Update README

Further improvement ideas for future releases:

Download code-server binary automatically, create symlink automatically.

msquee commented 4 years ago

When code-server upgraded to 3.x they removed a command line option to set the base path for URL redirection after login. --base-path was removed from code-server in this commit: https://github.com/cdr/code-server/pull/1272

code-server operates on completely relative paths now, you don't have the option to set a base path anymore.

When code-server is ran as a batch connect application, our URL looks something like this: https://ondemand-test.osc.edu/rnode/o0808.ten.osc.edu/18513/

Relevant Files:

Problem: We require authentication, when we send a POST request to /rnode/o0808.ten.osc.edu/18513/login/ we are redirected to /rnode/o0808.ten.osc.edu/18513/login/rnode/o0808.ten.osc.edu/18513 because code-server doesn't like anything that isn't on the root path. See comment about this from code server developers here: https://github.com/cdr/code-server/pull/1272#issuecomment-573848748

Cause: When you post to /login/ the redirect logic is done here: https://github.com/cdr/code-server/blob/81411b2af9b088cefb460c719c0abe4bbcefd5d3/src/node/app/login.ts#L87 and we're redirected to route.query.to which comes from /login/?to=${HERE} or if that's not set, we're redirected to / but our base path from /login/ is /rnode/o0808.ten.osc.edu/18513/login/ so we're redirected to /rnode/o0808.ten.osc.edu/18513/login/rnode/o0808.ten.osc.edu/18513/ causing our bug!

Potential Solutions:

Modify the Stanford Authentication proxy to support proxying directly to a socket instead of a port https://github.com/stanford-rc/sh_ood-apps/blob/master/sh_tensorboard/template/bin/authrevproxy.py
Use @johrstrom's modified authrevproxy with support for network namespaces https://github.com/OSC/bc_osc_tensorboard/blob/gtc/template/script.sh.erb this would let us start code-server with the option --auth=none and redirecting from login wouldn't be an issue anymore. The problem with this option is that namespaces are not enabled system wide.
Create a new sidecar proxy that acts as a middleware that validates a POST request against the environment variable $PASSWORD, if they match then set a cookie with the key key https://github.com/cdr/code-server/blob/master/src/node/app/login.ts#L92 so that the user can visit the code-server running already authenticated.

code-server sets the cookie key value to a hashed SHA256 string here: https://github.com/cdr/code-server/blob/master/src/node/util.ts#L53 from the environment variable here: https://github.com/cdr/code-server/blob/master/src/node/app/login.ts#L82 $PASSWORD so we can just mimick that behavior in a sidecar proxy as long as we have access to the environment variable.

msquee commented 4 years ago

I need to find a solution to load these external scripts from inside the project root instead of relying on a CDN to host these files. https://github.com/OSC/bc_osc_codeserver/blob/4e7ac4b47f0f56cd0a53a09afbafa20e1fe31aec/view.html.erb#L12-L25 This isn't possible currently, ideally it would be nice to have a /static folder in the root of interactive applications that is autoloaded and exposed at a URL like /pun/sys/dashboard/batch_connect/dev/bc_osc_codeserver/static for situations like these.

SpontaneousDuck commented 4 years ago

Just used the changes to view.html.erb with code-server:v3.4.1 and all worked swimmingly!

nathanweeks commented 2 years ago

It appears that the problem described in in https://github.com/OSC/bc_osc_codeserver/pull/2#issuecomment-623518310 is again occurring with bc_osc_codeserver 0.4.0 and code-server >= 3.11.0 (but 3.10.2 works OK)

johrstrom commented 2 years ago

What version of OnDemand are you on? https://github.com/OSC/ondemand/issues/521 in OnDemand part of this.

johrstrom commented 2 years ago

oh, it was fixed in 2.0 by the way. So 1.8 may be buggy here.

nathanweeks commented 2 years ago

OOD v2.0.12. Given its release date (2021-07-01), it seems that should have the aforementioned commits?

This issue was previously noticed by another user & mentioned in the Discourse forum: https://discourse.osc.edu/t/vscode-code-server/882/14

vallerul commented 2 years ago

May i know if there are updates to this issue? I am currently using codeserver 4.1.0, and it does not seem to work.

johrstrom commented 2 years ago

OOD v2.0.12. Given its release date (2021-07-01), it seems that should have the aforementioned commits?

Yes, it looks like this was fixed in 2.0.6 and beyond.

May i know if there are updates to this issue?

We have no updates as we're using version 3.9.3 and fixed it at least for that version. I haven't looked into upgrading in some time.

nathanweeks commented 2 years ago

We have no updates as we're using version 3.9.3 and fixed it at least for that version. I haven't looked into upgrading in some time.

It would be helpful to be able to upgrade at some point. Aside from missing features present in newer VS Code releases, VS Code 1.56.1 (provided by Code Server 3.10.2) isn't compatible with newer versions of some important extensions (e.g., the ms-python.python extension is stuck at v2021.5.926500501).

Would it be worth submitting a new issue to this repo to track the issue?

johrstrom commented 2 years ago

I opened #26

OSC / bc_osc_codeserver

Fix authentication issues with code-server #2