[Rest Server] Application token api

[sunqinzheng]

Changes

Token format

• Application will be a JSON Web Token with an additional boolean field application
  • User / frontend service can decode the jwt and get if the token is an application token
• Since we will query k8s secret when authentication (check if it is revoked), the admin field in jwt is removed. The permission info will be retrieved dynamically from k8s secret

Storage

• The signed jwt list will be stored in the pai-user-token namespace of k8s secret
• Each user's token list will be a k8s secret item
  • name: username's hex string
  • data: uuid -> token
• The namespace will be created (if not exist) when rest server starts

Authentication error

• Token is expired error message is removed.
• Only a token is invalid error message will be shown now.

k8s secret model

• Since previous k8s secret interface is implemented for specific use, a new k8s secret interface (model) for general use is implemented.

API routes

• GET /api/v1/token
  • Get list of available tokens (portal token + application token)
• POST /api/v1/token/application
  • Generate an application token
• DELETE /api/v1/token/:token
  • Revoke a token (portal token / application token)

Test Cases

Token

1. Login and get the browser token from cookies
2. Decode the jwt token and the data should not conclude admin field.
3. Check if the token is stored in k8s secret's pai-user-token namespace as the structure described before.
4. Revoke the browser token through rest api
5. View home page through web portal, and "invalid token" alert message will be popped out.

Application Token

Tested in unit test "userToken.js"

[abuccts]

LGTM

[abuccts]

do not need hasGitHubPAT any more?

[sunqinzheng]

I don't know the current state of github pat feature.
I just keep the original logic and simplify the code.

[Binyang2014]

Not quiet understand for this line. In which situation, the HTTP authentication header will be "Basic credentials" #Closed

[sunqinzheng]

Other platforms (github, vso) uses basic authentication for their pats (BASIC username:pat_string).
I provide a similar authentication option here if user is more used to them. #Closed

[Binyang2014]

Thanks, got it

---

In reply to: 339970596 [](ancestors = 339970596)

[ydye]

Encode data to base64？

[sunqinzheng]

It's an inner function and I think it won't be used by other components.
I prefer using a shorter function name.

[sunqinzheng]

I will add some comments on them to improve code readability

[ydye]

decode data from base64

[ydye]

Is it deplicate with initClient ?

[sunqinzheng]

It's a namespace api with different base uri.
Maybe it should be in another file like k8s-util.js or k8s-namespace.js.
I think we can reorganize the k8s api file structure later.

[ydye]

Delete invalid token?

[yiyione]

Token

• Login and get the browser token from cookies
• Decode the jwt token and the data should not conclude admin field.
• Check if the token is stored in k8s secret's pai-user-token namespace as the structure described before.
• Revoke the browser token through rest api
  🍏 App Token: "Applications are not allowed to do this operation."
  🍏 Browser Token: "revoke successfully"
• View job list through web portal, and "invalid token" alert message will be popped out.
  🍎 e.forEach is not a function

Application Token

• Tested in unit test "userToken.js"