Release token correctly, with usable web page

Author: arielshaqed

api/swagger.yml

@@ -2108,15 +2108,6 @@ components:
         destination:
           $ref: "#/components/schemas/IcebergLocalTable"
 
-    ReleaseToken:
-      type: object
-      required:
-        - token
-      properties:
-        token:
-          type: string
-          description: Login request token to release
-
 paths:
   /setup_comm_prefs:
     post:
@@ -3253,19 +3244,22 @@ paths:
         default:
           $ref: "#/components/responses/ServerError"
 
-  /auth/get-token/release-token:
-    post:
+  /auth/get-token/release-token/{loginRequestToken}:
+    parameters:
+      - in: path
+        # The mailbox is secret.  It is identified by the loginRequestToken
+        # - a JWT which is _not_ secret.  So it can safely go in the header.
+        name: loginRequestToken
+        required: true
+        schema:
+          type: string
+        description: login request token returned by getTokenRedirect.
+    get:                        # Called by opening a URL on the browser!
       tags:
         - auth
         - experimental
       operationId: releaseTokenToMailbox
       summary: release a token for the current (authenticated) user to the mailbox of this login request.
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              $ref: "#/components/schemas/ReleaseToken"
       responses:
         204:
           description: token released

cmd/lakectl/cmd/login.go

@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -24,6 +25,11 @@ type webLoginParams struct {
 	RedirectURL string
 }
 
+var (
+	errTryAgain     = errors.New("HTTP request failed; retry")
+	errDontTryAgain = backoff.Permanent(errors.New("failed to get token"))
+)
+
 var loginCmd = &cobra.Command{
 	Use:     "login",
 	Short:   "Use a web browser to log into lakeFS",
@@ -58,6 +64,12 @@ var loginCmd = &cobra.Command{
 				if err != nil {
 					return nil, err
 				}
+				if resp.JSON404 != nil {
+					return nil, errTryAgain
+				}
+				if resp.JSON200 == nil {
+					return nil, errDontTryAgain
+				}
 				return resp.JSON200, nil
 			},
 			// Initial backoff is rapid, in case user is already logged in.  Then
@@ -72,8 +84,9 @@ var loginCmd = &cobra.Command{
 			DieErr(fmt.Errorf("get login token: %w", err))
 		}
 
-		// BUG(ariels): Remove!
-		fmt.Printf("TOKEN: %s\nExpires: %d\n", loginToken.Token, *loginToken.TokenExpiration)
+		if loginToken == nil {
+			Die("nil login token", 2)
+		}
 
 		cache := getTokenCacheOnce()
 		err = cache.SaveToken(loginToken)

cmd/lakectl/cmd/root.go

@@ -26,6 +26,7 @@ import (
 	"github.com/treeverse/lakefs/pkg/api/apigen"
 	"github.com/treeverse/lakefs/pkg/api/apiutil"
 	"github.com/treeverse/lakefs/pkg/authentication/externalidp/awsiam"
+	"github.com/treeverse/lakefs/pkg/authentication/internalidp"
 	lakefsconfig "github.com/treeverse/lakefs/pkg/config"
 	"github.com/treeverse/lakefs/pkg/git"
 	giterror "github.com/treeverse/lakefs/pkg/git/errors"
@@ -627,8 +628,8 @@ func getClient() *apigen.ClientWithResponses {
 		DieErr(err)
 	}
 
-	useIAMAuth := awsIAMparams != nil && accessKeyID == "" && secretAccessKey == ""
-	if useIAMAuth {
+	useJWTAuth := accessKeyID == "" && secretAccessKey == ""
+	if useJWTAuth {
 		opts = getClientOptions(awsIAMparams, serverEndpoint)
 	}
 
@@ -664,6 +665,14 @@ func CreateTokenCacheCallback() awsiam.TokenCacheCallback {
 func getClientOptions(awsIAMparams *awsiam.IAMAuthParams, serverEndpoint string) []apigen.ClientOption {
 	token := getTokenOnce()
 
+	logger := logging.ContextUnavailable().WithField("component", "client_auth")
+
+	if awsIAMparams == nil {
+		return []apigen.ClientOption{
+			internalidp.WithLoginTokenAuth(logger, internalidp.NewFixedLoginClient(token.Token)),
+		}
+	}
+
 	tokenCacheCallback := CreateTokenCacheCallback()
 
 	awsLogSigning := cfg.Credentials.Provider.AWSIAM.ClientLogPreSigningRequest
@@ -683,7 +692,7 @@ func getClientOptions(awsIAMparams *awsiam.IAMAuthParams, serverEndpoint string)
 
 	awsAuthProvider := awsiam.WithAWSIAMRoleAuthProviderOption(
 		awsIAMparams,
-		logging.ContextUnavailable(),
+		logger,
 		loginClient,
 		token,
 		tokenCacheCallback,

go.mod

@@ -25,7 +25,7 @@ require (
 	github.com/jamiealquiza/tachymeter v2.0.0+incompatible
 	github.com/jedib0t/go-pretty/v6 v6.6.7
 	github.com/manifoldco/promptui v0.9.0
-	github.com/matoous/go-nanoid/v2 v2.0.0
+	github.com/matoous/go-nanoid/v2 v2.1.0
 	github.com/minio/minio-go/v7 v7.0.63
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/ory/dockertest/v3 v3.12.0
@@ -139,8 +139,9 @@ require (
 	github.com/barweiss/go-tuple v1.1.2 // indirect
 	github.com/benbjohnson/clock v1.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42 // indirect
-	github.com/deckarep/golang-set/v2 v2.6.0 // indirect
+	github.com/deckarep/golang-set/v2 v2.8.0 // indirect
 	github.com/dgraph-io/ristretto/v2 v2.2.0 // indirect
+	github.com/elnormous/contenttype v1.0.4 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect

go.sum

@@ -391,8 +391,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/deckarep/golang-set/v2 v2.6.0 h1:XfcQbWM1LlMB8BsJ8N9vW5ehnnPVIw0je80NsVHagjM=
-github.com/deckarep/golang-set/v2 v2.6.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
+github.com/deckarep/golang-set/v2 v2.8.0 h1:swm0rlPCmdWn9mESxKOjWk8hXSqoxOp+ZlfuyaAdFlQ=
+github.com/deckarep/golang-set/v2 v2.8.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
 github.com/deepmap/oapi-codegen v1.5.6 h1:hlUtA13SL2HNoC/5vXDFdGm2AaN1j9/rUu7zedjBiqg=
 github.com/deepmap/oapi-codegen v1.5.6/go.mod h1:NoliSkZp7cRAkisw65+PUtvgy56f21QQesX1tVUzS8g=
 github.com/denisenkom/go-mssqldb v0.12.0/go.mod h1:iiK0YP1ZeepvmBQk/QpLEhhTNJgfzrpArPY/aFvc9yU=
@@ -423,6 +423,8 @@ github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
+github.com/elnormous/contenttype v1.0.4 h1:FjmVNkvQOGqSX70yvocph7keC8DtmJaLzTTq6ZOQCI8=
+github.com/elnormous/contenttype v1.0.4/go.mod h1:5KTOW8m1kdX1dLMiUJeN9szzR2xkngiv2K+RVZwWBbI=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
@@ -816,8 +818,8 @@ github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYt
 github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
 github.com/matoous/go-nanoid v1.5.0 h1:VRorl6uCngneC4oUQqOYtO3S0H5QKFtKuKycFG3euek=
 github.com/matoous/go-nanoid v1.5.0/go.mod h1:zyD2a71IubI24efhpvkJz+ZwfwagzgSO6UNiFsZKN7U=
-github.com/matoous/go-nanoid/v2 v2.0.0 h1:d19kur2QuLeHmJBkvYkFdhFBzLoo1XVm2GgTpL+9Tj0=
-github.com/matoous/go-nanoid/v2 v2.0.0/go.mod h1:FtS4aGPVfEkxKxhdWPAspZpZSh1cOjtM7Ej/So3hR0g=
+github.com/matoous/go-nanoid/v2 v2.1.0 h1:P64+dmq21hhWdtvZfEAofnvJULaRR1Yib0+PnU669bE=
+github.com/matoous/go-nanoid/v2 v2.1.0/go.mod h1:KlbGNQ+FhrUNIHUxZdL63t7tl4LaPkZNpUULS8H4uVM=
 github.com/matryer/moq v0.0.0-20190312154309-6cfb0558e1bd/go.mod h1:9ELz6aaclSIGnZBoaSLZ3NAl1VTufbOrXBPvtcy6WiQ=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=

go.work.sum

@@ -454,7 +454,6 @@ contrib.go.opencensus.io/exporter/stackdriver v0.13.14 h1:zBakwHardp9Jcb8sQHcHpX
 contrib.go.opencensus.io/exporter/stackdriver v0.13.14/go.mod h1:5pSSGY0Bhuk7waTHuDf4aQ8D2DrhgETRo9fy6k3Xlzc=
 contrib.go.opencensus.io/integrations/ocsql v0.1.7 h1:G3k7C0/W44zcqkpRSFyjU9f6HZkbwIrL//qqnlqWZ60=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9 h1:VpgP7xuJadIUuKccphEpTJnWhS2jkQyMt6Y7pJCD7fY=
-filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 gioui.org v0.0.0-20210308172011-57750fc8a0a6 h1:K72hopUosKG3ntOPNG4OzzbuhxGuVf06fa2la1/H/Ho=
 github.com/AndreasBriese/bbloom v0.0.0-20190306092124-e2d15f34fcf9 h1:HD8gA2tkByhMAwYaFAX9w2l7vxvBQ5NMoxDrkhqhtn4=
 github.com/Azure/azure-amqp-common-go/v3 v3.2.3 h1:uDF62mbd9bypXWi19V1bN5NZEO84JqgmI5G73ibAmrk=
@@ -581,6 +580,7 @@ github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53E
 github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
 github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/deckarep/golang-set/v2 v2.8.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4=
 github.com/denisenkom/go-mssqldb v0.12.0 h1:VtrkII767ttSPNRfFekePK3sctr+joXgO58stqQbtUA=
 github.com/devigned/tab v0.1.1 h1:3mD6Kb1mUOYeLpJvTVSDwSg5ZsfSxfvxGRTxRsJsITA=
 github.com/dgraph-io/badger v1.6.0 h1:DshxFxZWXUcO0xX476VJC07Xsr6ZCBVRHKZ93Oh7Evo=
@@ -638,7 +638,6 @@ github.com/go-playground/universal-translator v0.18.0 h1:82dyy6p4OuJq4/CByFNOn/j
 github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA=
 github.com/go-playground/validator/v10 v10.11.1 h1:prmOlTVv+YjZjmRmNSF3VmspqJIxJWXmqUsHwfTRRkQ=
 github.com/go-playground/validator/v10 v10.11.1/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU=
-github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
 github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0=
 github.com/gobwas/pool v0.2.0 h1:QEmUOlnSjWtnpRGHF3SauEiOsy82Cup83Vf2LcMlnc8=
@@ -776,6 +775,7 @@ github.com/mailgun/raymond/v2 v2.0.46 h1:aOYHhvTpF5USySJ0o7cpPno/Uh2I5qg2115K25A
 github.com/mailgun/raymond/v2 v2.0.46/go.mod h1:lsgvL50kgt1ylcFJYZiULi5fjPBkkhNfj4KA0W54Z18=
 github.com/mailgun/raymond/v2 v2.0.48 h1:5dmlB680ZkFG2RN/0lvTAghrSxIESeu9/2aeDqACtjw=
 github.com/mailgun/raymond/v2 v2.0.48/go.mod h1:lsgvL50kgt1ylcFJYZiULi5fjPBkkhNfj4KA0W54Z18=
+github.com/matoous/go-nanoid/v2 v2.1.0/go.mod h1:KlbGNQ+FhrUNIHUxZdL63t7tl4LaPkZNpUULS8H4uVM=
 github.com/matryer/moq v0.0.0-20190312154309-6cfb0558e1bd h1:HvFwW+cm9bCbZ/+vuGNq7CRWXql8c0y8nGeYpqmpvmk=
 github.com/mattn/go-ieproxy v0.0.1 h1:qiyop7gCflfhwCzGyeT0gro3sF9AIg9HU98JORTkqfI=
 github.com/mattn/goveralls v0.0.2 h1:7eJB6EqsPhRVxvwEXGnqdO2sJI0PTsrWoTMXEk9/OQc=

pkg/api/controller.go

@@ -7,6 +7,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"html/template"
 	"io"
 	"mime"
 	"mime/multipart"
@@ -22,6 +23,7 @@ import (
 
 	"github.com/aws/aws-sdk-go-v2/feature/s3/manager"
 	"github.com/davecgh/go-spew/spew"
+	"github.com/elnormous/contenttype"
 	"github.com/go-openapi/swag"
 	"github.com/gorilla/sessions"
 	authacl "github.com/treeverse/lakefs/contrib/auth/acl"
@@ -866,6 +868,7 @@ func (c *Controller) GetTokenRedirect(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set("Location", redirect.RedirectURL)
 	w.Header().Set("X-LakeFS-Mailbox", redirect.Mailbox)
+
 	writeResponse(w, r, http.StatusOK, nil)
 }
 
@@ -877,23 +880,97 @@ func (c *Controller) GetTokenFromMailbox(w http.ResponseWriter, r *http.Request,
 		return
 	}
 
+	// This call is repeated, so only log after we've found the token is valid.
+	c.LogAction(ctx, "get_token_from_mailbox", r, "", "", "")
+
+	c.Logger.
+		WithContext(r.Context()).
+		WithFields(logging.Fields{
+			"mailbox":          mailbox,
+			"token_expiration": expiresAt,
+		}).
+		Debug("Got login token")
+
 	response := apigen.AuthenticationToken{
 		Token:           token,
 		TokenExpiration: swag.Int64(expiresAt.Unix()),
 	}
 	writeResponse(w, r, http.StatusOK, response)
 }
 
-func (c *Controller) ReleaseTokenToMailbox(w http.ResponseWriter, r *http.Request, params apigen.ReleaseTokenToMailboxJSONRequestBody) {
+var releasedTokenTemplate = template.Must(
+	template.New("released-token").
+		Parse(`{{define "releasedToken" -}}
+<!doctype html>
+<html>
+  <title>Logged in</title>
+  <body>
+  <div>You are logged in as <code>{{.Username}}</code>.  It is safe to close this window.</div>
+  </body>
+</html>
+{{- end}}`))
+
+type UserData struct {
+	Username string
+}
+
+var (
+	textHTML                         = contenttype.MediaType{"text", "html", nil}
+	releaseTokenAcceptableMediaTypes = []contenttype.MediaType{
+		textHTML,
+		{"*", "*", nil},
+	}
+)
+
+func (c *Controller) ReleaseTokenToMailbox(w http.ResponseWriter, r *http.Request, loginRequestToken string) {
 	ctx := r.Context()
 
-	loginRequestToken := params.Token
+	c.LogAction(ctx, "release_token_to_mailbox", r, "", "", "")
+
 	// Release will release a token for the authenticated user.
 	err := c.loginTokenProvider.Release(ctx, loginRequestToken)
 	if c.handleAPIError(ctx, w, r, err) {
 		return
 	}
-	writeResponse(w, r, http.StatusNoContent, nil)
+
+	mediaType, _, err := contenttype.GetAcceptableMediaType(r, releaseTokenAcceptableMediaTypes)
+	if err != nil {
+		c.Logger.
+			WithContext(r.Context()).
+			WithError(err).
+			WithField("accept", r.Header.Get("Accept")).
+			Warn("Failed to parse Content-Type - no user-friendly page")
+		// Keep going - errors are safe here, at worst the user will not get a pretty page.
+	}
+
+	switch {
+	case mediaType.EqualsMIME(textHTML):
+		username := ""
+		user, err := auth.GetUser(ctx)
+		if err != nil {
+			// Errors are safe here, at worst we won't tell user their name.
+			c.Logger.
+				WithContext(r.Context()).
+				WithError(err).
+				WithField("accept", r.Header.Get("Accept")).
+				Warn("Failed to get user - they won't see their logged-in name on the page")
+		}
+		if user != nil {
+			username = user.Username
+		}
+		// This endpoint is _usually_ visited by a browser.  Report to the user that
+		// they logged in, telling them the name they used to log in.
+		httputil.KeepPrivate(w)
+
+		err = releasedTokenTemplate.ExecuteTemplate(w, "releasedToken", &UserData{Username: username})
+		if c.handleAPIError(ctx, w, r, err) {
+			return
+		}
+
+		w.WriteHeader(http.StatusOK)
+	default:
+		writeResponse(w, r, http.StatusNoContent, nil)
+	}
 }
 
 func (c *Controller) GetPhysicalAddress(w http.ResponseWriter, r *http.Request, repository, branch string, params apigen.GetPhysicalAddressParams) {
@@ -4873,11 +4950,7 @@ func (c *Controller) GetObject(w http.ResponseWriter, r *http.Request, repositor
 	w.Header().Set("Last-Modified", lastModified)
 	w.Header().Set("Content-Type", entry.ContentType)
 	// for security, make sure the browser and any proxies en route don't cache the response
-	w.Header().Set("Cache-Control", "no-store, must-revalidate")
-	w.Header().Set("Expires", "0")
-	w.Header().Set("X-Content-Type-Options", "nosniff")
-	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
-	w.Header().Set("Content-Security-Policy", "default-src 'none'")
+	httputil.KeepPrivate(w)
 	w.Header().Set("Content-Disposition", "attachment")
 
 	// handle partial response if byte range supplied
@@ -6157,8 +6230,7 @@ func (c *Controller) GetUsageReportSummary(w http.ResponseWriter, r *http.Reques
 
 	// base on content-type return plain text or json (default)
 	if r.Header.Get("Accept") == "text/plain" {
-		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-		w.Header().Set("X-Content-Type-Options", "nosniff")
+		httputil.KeepPrivate(w)
 		_, _ = fmt.Fprintf(w, "Usage for installation ID: %s\n", installationID)
 		for _, rec := range records {
 			_, _ = fmt.Fprintf(w, "%d-%02d: %12d\n", rec.Year, rec.Month, rec.Count)

pkg/httputil/response.go

@@ -6,3 +6,14 @@ import "net/http"
 func IsSuccessStatusCode(response *http.Response) bool {
 	return response.StatusCode >= http.StatusOK && response.StatusCode < http.StatusMultipleChoices
 }
+
+// KeepPrivate sets some headers on response to keep it private: no caching, no sniff,
+// sameorigin, etc.  It should be used on any non-API response (HTML, text, object contents,
+// etc.)
+func KeepPrivate(w http.ResponseWriter) {
+	w.Header().Set("Cache-Control", "no-store, must-revalidate")
+	w.Header().Set("Expires", "0")
+	w.Header().Set("X-Content-Type-Options", "nosniff")
+	w.Header().Set("X-Frame-Options", "SAMEORIGIN")
+	w.Header().Set("Content-Security-Policy", "default-src 'none'")
+}