Add authentication

[kinow]

Probably initially with a dummy authentication. Could even copy the JupyterHub dummy authenticator.

Then we need to confirm:

• It will work with different authentication methods (e.g. OAuth, JWT, LDAP, local user PAM, dummy)
• Can show/hide content based on the user authenticated
• Allows for auditing

[kinow]

Creating a permissions layer is a bit complicated, and error-prone. Would be easier to use an existing library/framework for that.

There are two good candidates for the Cylc web interface, with support for Vue (and some people sharing their use cases, implementation details, etc).

• Kindergarten https://www.npmjs.com/package/vue-kindergarten
• CASL https://www.npmjs.com/package/@casl/vue

[kinow]

For authentication, JWT was mentioned in the meeting in Melbourne. Having a bit of experience with a couple projects that use JWT, I remember other devs had (hard) to work on expiration mechanisms, token refreshing, and storing the tokens in DB and/or caching servers.

Furthermore, these articles though they may seem a bit biased against JWT, present valid issues when using JWT.

• Why JWTs Suck as Session Tokens
• Stop using JWT for sessions
• HNews discussion on a post about JWTs issues

As Cylc is not supposed to be exposed publicly in the Internet, and performance (consequently request/response size) are important, I think JWT may not be the best option for us.

Furthermore, if we start from another perspective, trying first to thing whether we could do with simple Cookie's and session for managing the user data... I can't see a reason that would prevent us of going with this approach right now (but could be wrong).

We just need to make sure to encrypt the cookies, use the right settings for security, and also apply TLS for communication.

[hjoliver]

Sounds pretty convincing :+1:

[kinow]

JupyterHub contains a dummy auth. Would be nice to have something for the UI too. Something that can be used when the UI is generated, regardless of the backend. e.g. https://github.com/cornflourblue/vue-vuex-registration-login-example/blob/master/src/_helpers/fake-backend.js

[kinow]

In the end, we may not require authentication here. We could rely entirely on the Hub for that.

The hub will put a secure cookie, that we can use to query information about the user from the Hub. If the cookie is valid, i.e. the hub returns information, then we consider the user authenticated.

Authorization is still an open topic.

[kinow]

After the work done in #33 , I believe we won't need to worry about implementing authentication in the UI server, and for now will try to delegate that to be done by the Hub :tada:

[hjoliver]

That's great ... exactly what we hoped!