feat/refactor: filestore feature flag (#4617)

Co-authored-by: Mateo Ivankovic <[email protected]>
inovex · Dec 9, 2024 · 39e4fb2 · 39e4fb2
1 parent 0db087e
commit 39e4fb2
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 8 deletions.
diff --git a/deployment/docker/docker-compose.yml b/deployment/docker/docker-compose.yml
@@ -30,11 +30,12 @@ services:
       # SCRUMLR_AUTH_OIDC_CLIENT_ID: "${OIDC_CLIENT_ID}"
       # SCRUMLR_AUTH_OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
       # SCRUMLR_AUTH_OIDC_DISCOVERY_URL: "${OIDC_DISCOVERY_URL}"
-      # SCRUMLR_CONFIG_PATH: "${SCRUMRL_CONFIG_PATH}"
+      # SCRUMLR_CONFIG_PATH: "${SCRUMLR_CONFIG_PATH}"
       # Redis variables (if you decide to use Redis instead of NATS)
       # SCRUMLR_SERVER_REDIS_HOST: "${REDIS_HOST}"
       # SCRUMLR_SERVER_REDIS_USERNAME: "${REDIS_USERNAME}"
       # SCRUMLR_SERVER_REDIS_PASSWORD: "${REDIS_PASSWORD}"
+      # SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE: "${SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE}"
     ports:
       - "8080:8080"
     depends_on:

diff --git a/docs/src/content/docs/self-hosting/env-vars.md b/docs/src/content/docs/self-hosting/env-vars.md
@@ -92,6 +92,22 @@ The base path of the API. The default is `/`.
 SCRUMLR_BASE_PATH=''
 ```
 
+### Disable Anonymous Login
+If set to `true`, users won't be able to log in anonymously, forcing them to use a provider (any OAuth or OIDC).
+Note that if this is set to `true`, and no valid providers are available, login won't be possible at all.
+Default is `false`.
+```bash
+SCRUMLR_DISABLE_ANONYMOUS_LOGIN=false
+```
+
+### Enable Experimental File System Store
+Enables an experimental file store for session cookies, which is used during OAuth authentication to store session info while on the provider page.
+Required for some OIDC providers, since their session cookies exceed the size limit of 4KB.
+Default is `false`.
+```bash
+SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE=false
+```
+
 ### Auth Callback Host
 The host to which the OAuth callback should redirect.
 ```bash
@@ -149,6 +165,7 @@ SCRUMLR_AUTH_OIDC_DISCOVERY_URL
 SCRUMLR_AUTH_OIDC_USER_IDENT_SCOPE
 SCRUMLR_AUTH_OIDC_USER_NAME_SCOPE
 ```
+Note: Might require larger session store to be active, see [SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE](#enable-experimental-file-system-store)
 
 ### Feedback Webhook URL
 A webhook URL to which feedback should be sent.

diff --git a/server/config_example.toml b/server/config_example.toml
@@ -31,6 +31,9 @@ base-path = "/"
 # Enable/Disable the login of anonymous clients
 disable-anonymous-login = false
 
+# enables/disables experimental file system store, in order to allow larger session cookie sizes
+auth-experimental-file-system-store = false
+
 # Set the protocol and host for the auth provider callbacks (e.g. https://scrumlr.io)
 auth-callback-host = ""
 

diff --git a/server/src/api/login.go b/server/src/api/login.go
@@ -4,15 +4,13 @@ import (
 	"fmt"
 	"math"
 	"net/http"
-	"os"
 	"strings"
 	"time"
 
 	"scrumlr.io/server/common"
 	"scrumlr.io/server/logger"
 
 	"github.com/go-chi/render"
-	"github.com/gorilla/sessions"
 	"github.com/markbates/goth/gothic"
 	"scrumlr.io/server/common/dto"
 	"scrumlr.io/server/database/types"
@@ -74,9 +72,6 @@ func (s *Server) logout(w http.ResponseWriter, r *http.Request) {
 
 // beginAuthProviderVerification will redirect the user to the specified auth provider consent page
 func (s *Server) beginAuthProviderVerification(w http.ResponseWriter, r *http.Request) {
-	store := sessions.NewFilesystemStore(os.TempDir(), []byte("scrumlr.io"))
-	store.MaxLength(0x8000)
-	gothic.Store = store
 	gothic.BeginAuthHandler(w, r)
 }
 

diff --git a/server/src/api/router.go b/server/src/api/router.go
@@ -1,14 +1,17 @@
 package api
 
 import (
+	"github.com/markbates/goth/gothic"
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/go-chi/cors"
 	"github.com/go-chi/httprate"
 	"github.com/go-chi/jwtauth/v5"
 	"github.com/go-chi/render"
 	"github.com/google/uuid"
+	gorillaSessions "github.com/gorilla/sessions"
 	"github.com/gorilla/websocket"
 
 	"scrumlr.io/server/auth"
@@ -43,7 +46,9 @@ type Server struct {
 	boardSubscriptions               map[uuid.UUID]*BoardSubscription
 	boardSessionRequestSubscriptions map[uuid.UUID]*BoardSessionRequestSubscription
 
-	anonymousLoginDisabled bool
+	// note: if more options come with time, it might be sensible to wrap them into a struct
+	anonymousLoginDisabled      bool
+	experimentalFileSystemStore bool
 }
 
 func New(
@@ -65,6 +70,7 @@ func New(
 	verbose bool,
 	checkOrigin bool,
 	anonymousLoginDisabled bool,
+	experimentalFileSystemStore bool,
 ) chi.Router {
 	r := chi.NewRouter()
 	r.Use(middleware.Recoverer)
@@ -106,7 +112,8 @@ func New(
 		boardReactions:                   boardReactions,
 		boardTemplates:                   boardTemplates,
 
-		anonymousLoginDisabled: anonymousLoginDisabled,
+		anonymousLoginDisabled:      anonymousLoginDisabled,
+		experimentalFileSystemStore: experimentalFileSystemStore,
 	}
 
 	// initialize websocket upgrader with origin check depending on options
@@ -115,6 +122,16 @@ func New(
 		WriteBufferSize: 1024,
 	}
 
+	// if enabled, this experimental feature allows for larger session cookies *during OAuth authentication* by storing them in a file store.
+	// this might be required when using some OIDC providers which exceed the 4KB limit.
+	// see https://github.com/markbates/goth/pull/141
+	if s.experimentalFileSystemStore {
+		logger.Get().Infow("using experimental file system store")
+		store := gorillaSessions.NewFilesystemStore(os.TempDir(), []byte("scrumlr.io"))
+		store.MaxLength(0x8000) // 32KB should be plenty of space
+		gothic.Store = store
+	}
+
 	if checkOrigin {
 		s.upgrader.CheckOrigin = nil
 	} else {

diff --git a/server/src/main.go b/server/src/main.go
@@ -109,6 +109,13 @@ func main() {
 				Required: false,
 				Value:    false,
 			}),
+			altsrc.NewBoolFlag(&cli.BoolFlag{
+				Name:     "auth-enable-experimental-file-system-store",
+				EnvVars:  []string{"SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE"},
+				Usage:    "enables/disables experimental file system store, in order to allow larger session cookie sizes",
+				Required: false,
+				Value:    false,
+			}),
 			altsrc.NewStringFlag(&cli.StringFlag{
 				Name:     "auth-callback-host",
 				Aliases:  []string{"c"},
@@ -373,6 +380,7 @@ func run(c *cli.Context) error {
 		c.Bool("verbose"),
 		!c.Bool("disable-check-origin"),
 		c.Bool("disable-anonymous-login"),
+		c.Bool("auth-enable-experimental-file-system-store"),
 	)
 
 	port := fmt.Sprintf(":%d", c.Int("port"))