Custom Auth still prompts for auth token in Docker

[mbklein]

Environment

• Elixir & Erlang/OTP versions (elixir --version): Elixir 1.17.2 (compiled with Erlang/OTP 26)
• Operating system: MacOS & Linux
• How have you started Livebook (mix phx.server, livebook CLI, Docker, etc): Docker
• Livebook version (use git rev-parse HEAD if running with mix): v0.13.0 and above
• Browsers that reproduce this bug (the more the merrier): Firefox, Chrome, Safari (I imagine all of them)
• Include what is logged in the browser console: (Nothing)
• Include what is logged to the server console: (Also Nothing)

Current behavior

1. Create the file custom_livebook_auth.exs:

   defmodule CustomLivebookAuth do
     @moduledoc """
     Custom authentication module for Livebook
     """
     use GenServer
   
     @spec start_link(keyword) :: {:ok, pid()}
     def start_link(opts) do
       identity_key = opts[:identity_key]
       GenServer.start_link(__MODULE__, identity_key, Keyword.take(opts, [:name]))
     end
   
     def init(init_arg) do
       Application.put_env(:livebook, :authentication_mode, :disabled)
       {:ok, init_arg}
     end
   
     @spec authenticate(GenServer.server(), Plug.Conn.t(), keyword()) ::
             {Plug.Conn.t(), map() | nil}
     def authenticate(_server, conn, _) do
       {conn, %{id: "lbu123", name: "Livebook User", email: "livebook.user@example.edu"}}
     end
   end

2. Start Livebook:

   docker run --rm -ti \
     -v ./custom_livebook_auth.exs:/app/user/extensions/custom_livebook_auth.exs \
     -e LIVEBOOK_IDENTITY_PROVIDER=custom:CustomLivebookAuth \
     -p 8080:8080 -p 8081:8081 \
     ghcr.io/livebook-dev/livebook:0.13.0

3. Go to http://localhost:8080/

Note that the Authentication Required token prompt comes up. If you paste in the correct token (which you can copy from the Docker log), you can tell that the custom auth succeeded – the username Livebook User is displayed in the sidebar.

Expected behavior

Successful custom auth should bypass token auth. If you repeat the steps above with the ghcr.io/livebook-dev/livebook:0.12.1 Docker image, you will see the correct behavior.

Oddly, I have not been able to reproduce the issue outside of Docker. For example, if you go to the Livebook working directory and run the following, you'll get the expected behavior. The issue only shows up in Livebook ~> 0.13.0 running in Docker.

git checkout v0.13.0
mix setup
ELIXIR_ERL_OPTIONS="-epmd_module Elixir.Livebook.EPMD" \
  LIVEBOOK_IDENTITY_PROVIDER="custom:CustomLivebookAuth" \
  elixir -r /path/to/custom_livebook_auth.exs -S mix phx.server

[jonatanklosko]

The identity check is orthogonal to Livebook auth layer. You can disable the token auth with LIVEBOOK_TOKEN_ENABLED=false :)

The reason it doesn't show up with mix phx.server is because you are running dev. If you set MIX_ENV=prod it should match the behaviour.

[josevalim]

Yeah, to clarify, the identity provider authenticates everything! the auth is for the "admin" area :)

[hugobarauna]

There's more info about that in the docs: https://hexdocs.pm/livebook/authentication.html