✨ web-server: Add Stand-alone Auth-App Entrypoint to Web-Server

[pcrespov]

What do these changes do?

This PR introduces a stand-alone entrypoint in the web-server that builds a lightweight app dedicated to authentication. This new app mainly includes the login_auth domain, which exposes a minimal REST API with the /auth:check endpoint.

In upcoming PRs, we’ll introduce a new service (tentatively wb-auth-server) based on the itisfoundation/webserver image to run this auth app. At that point, the Traefik reverse proxy's auth middleware will be configured to point to this service:

Unlike other services based on itisfoundation/webserver (e.g. webserver, wb-api-server, wb-db-event-listener, wb-garbage-collector), this one builds the domain explicitly via a dedicated entrypoint function (create_application_auth) rather than only relying on env-vars.

Changes

• web-server
  • Extracted login_auth from the login domain
    • login depends on login_auth, but not vice versa
      
  • Added a separate entrypoint for the auth app
    • application.py now provides create_application_auth

Related issue/s

• First part of Webserver: Have a separate service for authentication? #7781

How to test

• Main driving test

cd services/web/server
make install-dev
pytest -vv tests/unit/with_dbs/03/test_login_auth_app.py

# general
pytest -vv tests/unit/with_dbs/**/test*login*.py

Dev-ops

[codecov]

Codecov Report

Attention: Patch coverage is 90.90909% with 8 lines in your changes missing coverage. Please review.

Project coverage is 82.35%. Comparing base (5aa1302) to head (62aefc3).
Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #7818      +/-   ##
==========================================
- Coverage   85.40%   82.35%   -3.06%     
==========================================
  Files        1718      676    -1042     
  Lines       66138    31277   -34861     
  Branches     1137        0    -1137     
==========================================
- Hits        56488    25757   -30731     
+ Misses       9331     5520    -3811     
+ Partials      319        0     -319     

Flag	Coverage Δ
integrationtests	63.54% <76.13%> (+4.02%)	⬆️
unittests	81.50% <90.90%> (-3.49%)	⬇️

Components	Coverage Δ
api	76.84% <ø> (ø)
pkg_aws_library	∅ <ø> (∅)
pkg_celery_library	∅ <ø> (∅)
pkg_dask_task_models_library	∅ <ø> (∅)
pkg_models_library	∅ <ø> (∅)
pkg_notifications_library	∅ <ø> (∅)
pkg_postgres_database	∅ <ø> (∅)
pkg_service_integration	∅ <ø> (∅)
pkg_service_library	∅ <ø> (∅)
pkg_settings_library	∅ <ø> (∅)
pkg_simcore_sdk	∅ <ø> (∅)
agent	∅ <ø> (∅)
api_server	∅ <ø> (∅)
autoscaling	∅ <ø> (∅)
catalog	∅ <ø> (∅)
clusters_keeper	∅ <ø> (∅)
dask_sidecar	∅ <ø> (∅)
datcore_adapter	∅ <ø> (∅)
director	∅ <ø> (∅)
director_v2	77.65% <ø> (-7.80%)	⬇️
dynamic_scheduler	∅ <ø> (∅)
dynamic_sidecar	88.33% <ø> (-1.77%)	⬇️
efs_guardian	∅ <ø> (∅)
invitations	∅ <ø> (∅)
payments	∅ <ø> (∅)
resource_usage_tracker	∅ <ø> (∅)
storage	∅ <ø> (∅)
webclient	∅ <ø> (∅)
webserver	83.07% <90.90%> (+0.63%)	⬆️

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5aa1302...62aefc3. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sanderegg]

very nice Thanks!
Thought, in the end we could completely offload the auth to that service. and move it to go or rust if needed.

[giancarloromeo]

Nice move

[bisgaard-itis]

I very much like the idea. I wonder though if it would not be more valuable to go for a standardized, well-supported solution specializing in this. I am thinking something similar to Traefik, but for authentication. I investigated a bit potential solutions with perplexity and he suggested https://github.com/keycloak/keycloak. Might be interesting to look into.

[pcrespov]

I very much like the idea. I wonder though if it would not be more valuable to go for a standardized, well-supported solution specializing in this. I am thinking something similar to Traefik, but for authentication. I investigated a bit potential solutions with perplexity and he suggested https://github.com/keycloak/keycloak. Might be interesting to look into.

@bisgaard-itis yes. I am aware of keycloak, actually we reveiwed it at the beginning of osparc :-) but at the time it was too big for us. Nonetheless, my point is that the new wb-auth-server is not incompatible with the idea of integrating keycloak. It can still be deployed behind it or at some point even replace it.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[pcrespov]

@mergify queue

[mergify]

queue

🟠 Waiting for conditions to match

• -closed [📌 queue requirement]
• -conflict [📌 queue requirement]
• -draft [📌 queue requirement]
• any of: [📌 queue -> configuration change requirements]
  • -mergify-configuration-changed
  • check-success = Configuration changed
• any of: [🔀 queue conditions]
  • all of: [📌 queue conditions of queue default]
    • #approved-reviews-by >= 2 [🛡 GitHub branch protection]
    • #approved-reviews-by>=2
    • #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
    • #changes-requested-reviews-by=0
    • #review-threads-unresolved = 0 [🛡 GitHub branch protection]
    • #review-threads-unresolved=0
    • -conflict
    • -draft
    • base=master
    • branch-protection-review-decision = APPROVED [🛡 GitHub branch protection]
    • label!=🤖-do-not-merge
    • label=🤖-automerge
    • any of: [🛡 GitHub branch protection]
      • check-skipped = deploy to dockerhub
      • check-neutral = deploy to dockerhub
      • check-success = deploy to dockerhub
    • any of: [🛡 GitHub branch protection]
      • check-success = system-tests
      • check-neutral = system-tests
      • check-skipped = system-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = unit-tests
      • check-neutral = unit-tests
      • check-skipped = unit-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = check OAS' are up to date
      • check-neutral = check OAS' are up to date
      • check-skipped = check OAS' are up to date
    • any of: [🛡 GitHub branch protection]
      • check-success = integration-tests
      • check-neutral = integration-tests
      • check-skipped = integration-tests
    • any of: [🛡 GitHub branch protection]
      • check-success = build-test-images (frontend) / build-test-images
      • check-neutral = build-test-images (frontend) / build-test-images
      • check-skipped = build-test-images (frontend) / build-test-images