removes default product to avoid accidental cross-product login

pcrespov · pcrespov · commit 2c3cc824e9d1 · 2024-10-11T16:33:17.000+02:00
diff --git a/services/web/server/src/simcore_service_webserver/products/_middlewares.py b/services/web/server/src/simcore_service_webserver/products/_middlewares.py
@@ -1,3 +1,4 @@
+import enum
 import logging
 from collections import OrderedDict
 
@@ -35,6 +36,14 @@ def _get_app_default_product_name(request: web.Request) -> str:
     return product_name
 
 
+class Sentinel(enum.StrEnum):
+    UNSET = "UNSET"
+    UNDEFINED = "UNDEFINED"
+
+
+_INCLUDE_PATHS: set[str] = {"/static-frontend-data.json", "/socket.io/"}
+
+
 @web.middleware
 async def discover_product_middleware(request: web.Request, handler: Handler):
     """
@@ -45,17 +54,13 @@ async def discover_product_middleware(request: web.Request, handler: Handler):
     """
     # - API entrypoints
     # - /static info for front-end
-    if (
-        request.path.startswith(f"/{API_VTAG}")
-        or request.path == "/static-frontend-data.json"
-        or request.path == "/socket.io/"
-    ):
-        product_name = (
+    if request.path.startswith(f"/{API_VTAG}") or request.path in _INCLUDE_PATHS:
+        request[RQ_PRODUCT_KEY] = (
             _discover_product_by_request_header(request)
             or _discover_product_by_hostname(request)
-            or _get_app_default_product_name(request)
+            or Sentinel.UNDEFINED
+            # FIXME: or _get_app_default_product_name(request)
         )
-        request[RQ_PRODUCT_KEY] = product_name
 
     # - Publications entrypoint: redirections from other websites. SEE studies_access.py::access_study
     # - Root entrypoint: to serve front-end apps
@@ -64,11 +69,20 @@ async def discover_product_middleware(request: web.Request, handler: Handler):
         or request.path.startswith("/view")
         or request.path == "/"
     ):
-        product_name = _discover_product_by_hostname(
-            request
-        ) or _get_app_default_product_name(request)
+        request[RQ_PRODUCT_KEY] = (
+            _discover_product_by_hostname(request) or Sentinel.UNDEFINED
+        )
+        # FIXME: or _get_app_default_product_name(request)
 
-        request[RQ_PRODUCT_KEY] = product_name
+    msg = "\n".join(
+        [
+            f"{request.url=}",
+            f"{request.host=}",
+            f"{request.headers=}",
+            f"{request.get(RQ_PRODUCT_KEY)=}",
+        ]
+    )
+    _logger.warning("\n--TESTING->\n%s", msg)
 
     assert request.get(RQ_PRODUCT_KEY) is not None or request.path.startswith(  # nosec
         "/dev/doc"
diff --git a/services/web/server/tests/unit/isolated/test_products_middlewares.py b/services/web/server/tests/unit/isolated/test_products_middlewares.py
@@ -77,6 +77,12 @@ def mock_app(mock_postgres_product_table: dict[str, Any]) -> web.Application:
         ("https://ti-solutions.io/", "tis", "tis"),
         ("https://osparc.io/", None, "osparc"),  # e.g. an old front-end
         ("https://staging.osparc.io/", "osparc", "osparc"),
+        # new auth of subdomains. SEE https://github.com/ITISFoundation/osparc-simcore/pull/6484
+        (
+            "https://34c878cd-f801-433f-9ddb-7dccba9251af.services.s4l-solutions.com/notebooks/lab",
+            "s4l",
+            "s4l",
+        ),
     ],
 )
 async def test_middleware_product_discovery(
