Implement Github authentication for backend endpoints

[zonca]

Requirements:

• Users are redirected to Github for authentication by the frontend app, before viewing any map
• Authenticate with their Github credentials
• Their Github username is checked against a list of allowed users (or should it just be membership to simonsobs Github org?)
• Now their token (probably JWT) is stored and they can access all api endpoints until logout or a timeout

@JBorrow please let me know if this is right

[JBorrow]

Yes, sounds perfect. I think checking against simonsobs is good, but we may want to be able to have an additional database table with 'super' users who can do things like ingest maps later down the line.

[zonca]

I tested the Github example of fastapi-sso and works fine: https://github.com/tomasvotava/fastapi-sso/blob/master/examples/github.py

the problem is that this doesn't store authentication, we will need to augment it following: https://tomasvotava.github.io/fastapi-sso/how-to-guides/use-with-fastapi-security/

[zonca]

following the tutorial, it works fine for protecting an endpoint, tested login/logout, access without authenticating first, everything working as expected:

https://gist.github.com/zonca/cd6b618593aaa8352f88ab5881d7598e

next I'll work on checking group membership and then integrating with tilemaker

[zonca]

I plan to leave the maps endpoint not authenticated, and protect all the other endpoints.

[JBorrow]

I think we want the ability to have conditional authentication at each endpoint; some maps will be public, and some will be behind the login.

[zonca]

ok, I implemented the organization membership check in the toy example: https://gist.github.com/zonca/21c78b1bbbb920035b84e480e976f9b3

In this situation an endpoint can be either authenticated or not authenticated. If it is authenticated, then we can check membership and have permissions at the object level, so any Github account will work for public maps and private maps will need simonsobs membership. This is a bit annoying for people accessing public data but it makes the implementation easier. Is it ok?

A note about the implementation: I cannot reuse the OAuth token because it doesn't have permissions to access the org API. I got around that using a PAT (classic) from Github with read:orgs permission. To simplify API calls I'm using PyGithub.

[JBorrow]

This looks great. Reading between the lines here you mean that there will need to be two endpoints, one for public maps and one for private maps? I guess that works, though we will need to think about structuring the code to avoid too much duplication. I guess this is a better scenario than having to be logged in to GitHub to even view the public maps, which I imagine is not going to be acceptable.

[zonca]

ok, working on this, I'm trying to have a single endpoint that redirects to authentication only for some query parameters (which will be the datasets).

[zonca]

@JBorrow ok, I got this working in a simple toy example:

https://gist.github.com/zonca/12a6b41fb53574a6a469f6a93d7db013

In this simple example /protected/0 does not require authentication, while /protected/1 gives permissions denied.

Once the users logs in successfully via Github using /auth/login and is member of the right Github organization, they can now access also the /protected/1 endpoint.

@JBorrow what should I do next?

[zonca]

I'll use act_dr5.01_s08s18_AA_f150_daynight_map.fits for testing

[zonca]

@JBorrow, just finished talking to @jernestmyers, we agreed I'll add a boolean column to the database to decide if a map is public or not. Then I'll implement Github auth to the tiles endpoint that is triggered only if the map requested is protected.

Once I have a pull request ready and working, @jernestmyers will modify https://github.com/jernestmyers/mapviewerclient to handle authentication in the frontend.

[zonca]

setup so it can be disabled for local usage