Allow session-based HTTP authentication (#11911)

Author: StpMax

mindsdb/api/http/initialize.py

@@ -1,4 +1,5 @@
 import os
+import secrets
 import mimetypes
 import threading
 import webbrowser
@@ -24,7 +25,7 @@
 from mindsdb.api.http.namespaces.jobs import ns_conf as jobs_ns
 from mindsdb.api.http.namespaces.config import ns_conf as conf_ns
 from mindsdb.api.http.namespaces.databases import ns_conf as databases_ns
-from mindsdb.api.http.namespaces.default import ns_conf as default_ns
+from mindsdb.api.http.namespaces.default import ns_conf as default_ns, check_session_auth
 from mindsdb.api.http.namespaces.file import ns_conf as file_ns
 from mindsdb.api.http.namespaces.handlers import ns_conf as handlers_ns
 from mindsdb.api.http.namespaces.knowledge_bases import ns_conf as knowledge_bases_ns
@@ -44,7 +45,7 @@
 from mindsdb.interfaces.storage import db
 from mindsdb.metrics.server import init_metrics
 from mindsdb.utilities import log
-from mindsdb.utilities.config import config
+from mindsdb.utilities.config import config, HTTP_AUTH_TYPE
 from mindsdb.utilities.context import context as ctx
 from mindsdb.utilities.json_encoder import ORJSONProvider
 from mindsdb.utilities.ps import is_pid_listen_port, wait_func_is_true
@@ -324,10 +325,19 @@ def before_request():
             bearer = h.split(" ", 1)[1].strip() or None
 
         # region routes where auth is required
+        http_auth_type = config["auth"]["http_auth_type"]
         if (
             config["auth"]["http_auth_enabled"] is True
             and any(request.path.startswith(f"/api{ns.path}") for ns in protected_namespaces)
-            and verify_pat(bearer) is False
+            and (
+                (http_auth_type == HTTP_AUTH_TYPE.SESSION and check_session_auth() is False)
+                or (http_auth_type == HTTP_AUTH_TYPE.TOKEN and verify_pat(bearer) is False)
+                or (
+                    http_auth_type == HTTP_AUTH_TYPE.SESSION_OR_TOKEN
+                    and check_session_auth() is False
+                    and verify_pat(bearer) is False
+                )
+            )
         ):
             logger.debug(f"Auth failed for path {request.path}")
             return http_error(
@@ -392,13 +402,26 @@ def initialize_flask():
     app.config["SWAGGER_HOST"] = "http://localhost:8000/mindsdb"
     app.json = ORJSONProvider(app)
 
-    authorizations = {"apikey": {"type": "apiKey", "in": "header", "name": "Authorization"}}
+    http_auth_type = config["auth"]["http_auth_type"]
+    authorizations = {}
+    security = []
+
+    if http_auth_type in (HTTP_AUTH_TYPE.SESSION, HTTP_AUTH_TYPE.SESSION_OR_TOKEN):
+        app.config["SECRET_KEY"] = os.environ.get("FLASK_SECRET_KEY", secrets.token_hex(32))
+        app.config["SESSION_COOKIE_NAME"] = "session"
+        app.config["PERMANENT_SESSION_LIFETIME"] = config["auth"]["http_permanent_session_lifetime"]
+        authorizations["session"] = {"type": "apiKey", "in": "cookie", "name": "session"}
+        security.append(["session"])
+
+    if http_auth_type in (HTTP_AUTH_TYPE.TOKEN, HTTP_AUTH_TYPE.SESSION_OR_TOKEN):
+        authorizations["bearer"] = {"type": "apiKey", "in": "header", "name": "Authorization"}
+        security.append(["bearer"])
 
     logger.debug("Creating swagger API..")
     api = Swagger_Api(
         app,
         authorizations=authorizations,
-        security=["apikey"],
+        security=security,
         url_prefix=":8000",
         prefix="/api",
         doc="/doc/",

mindsdb/api/http/namespaces/default.py

@@ -1,19 +1,33 @@
-from flask import request
+from flask import request, session
 from flask_restx import Resource
 from flask_restx import fields
 
 from mindsdb.__about__ import __version__ as mindsdb_version
 from mindsdb.api.http.namespaces.configs.default import ns_conf
 from mindsdb.api.http.utils import http_error
 from mindsdb.metrics.metrics import api_endpoint_metrics
-from mindsdb.utilities.config import Config
+from mindsdb.utilities.config import config, HTTP_AUTH_TYPE
 from mindsdb.utilities import log
 from mindsdb.api.common.middleware import generate_pat, revoke_pat, verify_pat
 
 
 logger = log.getLogger(__name__)
 
 
+def check_session_auth() -> bool:
+    """checking whether current user is authenticated
+
+    Returns:
+        bool: True if user authentication is approved
+    """
+    try:
+        if config["auth"]["http_auth_enabled"] is False:
+            return True
+        return session.get("username") == config["auth"]["username"]
+    except Exception:
+        return False
+
+
 @ns_conf.route("/login", methods=["POST"])
 class LoginRoute(Resource):
     @ns_conf.doc(
@@ -36,7 +50,6 @@ def post(self):
         ):
             return http_error(400, "Error in username or password", "Username and password should be string")
 
-        config = Config()
         inline_username = config["auth"]["username"]
         inline_password = config["auth"]["password"]
 
@@ -45,14 +58,24 @@ def post(self):
 
         logger.info(f"User '{username}' logged in successfully")
 
-        return {"token": generate_pat()}, 200
+        response = {}
+        if config["auth"]["http_auth_type"] in (HTTP_AUTH_TYPE.SESSION, HTTP_AUTH_TYPE.SESSION_OR_TOKEN):
+            session.clear()
+            session["username"] = username
+            session.permanent = True
+
+        if config["auth"]["http_auth_type"] in (HTTP_AUTH_TYPE.TOKEN, HTTP_AUTH_TYPE.SESSION_OR_TOKEN):
+            response["token"] = generate_pat()
+
+        return response, 200
 
 
 @ns_conf.route("/logout", methods=["POST"])
 class LogoutRoute(Resource):
     @ns_conf.doc(responses={200: "Success"})
     @api_endpoint_metrics("POST", "/default/logout")
     def post(self):
+        session.clear()
         # We can't forcibly log out a user with the
         h = request.headers.get("Authorization")
         if not h or not h.startswith("Bearer "):
@@ -89,7 +112,6 @@ class StatusRoute(Resource):
     def get(self):
         """returns auth and environment data"""
         environment = "local"
-        config = Config()
 
         environment = config.get("environment")
         if environment is None:
@@ -107,11 +129,20 @@ def get(self):
             else:
                 auth_provider = "local"
 
+        auth_confirmed = False
+        auth_type = config["auth"]["http_auth_type"]
+        if auth_type in (HTTP_AUTH_TYPE.SESSION, HTTP_AUTH_TYPE.SESSION_OR_TOKEN):
+            auth_confirmed = auth_confirmed or check_session_auth()
+        if auth_type in (HTTP_AUTH_TYPE.TOKEN, HTTP_AUTH_TYPE.SESSION_OR_TOKEN):
+            auth_confirmed = auth_confirmed or verify_pat(
+                request.headers.get("Authorization", "").replace("Bearer ", "")
+            )
+
         resp = {
             "mindsdb_version": mindsdb_version,
             "environment": environment,
             "auth": {
-                "confirmed": verify_pat(request.headers.get("Authorization", "").replace("Bearer ", "")),
+                "confirmed": auth_confirmed,
                 "http_auth_enabled": config["auth"]["http_auth_enabled"],
                 "provider": auth_provider,
             },

mindsdb/utilities/config.py

@@ -3,6 +3,7 @@
 import json
 import argparse
 import datetime
+import dataclasses
 from pathlib import Path
 from copy import deepcopy
 
@@ -57,6 +58,16 @@ def create_data_dir(path: Path) -> None:
         raise PermissionError(f"The directory is not allowed for writing: {path}")
 
 
+@dataclasses.dataclass(frozen=True)
+class HTTP_AUTH_TYPE:
+    SESSION: str = "session"
+    TOKEN: str = "token"
+    SESSION_OR_TOKEN: str = "session_or_token"
+
+
+HTTP_AUTH_TYPE = HTTP_AUTH_TYPE()
+
+
 class Config:
     """Application config. Singletone, initialized just once. Re-initialyze if `config.auto.json` is changed.
     The class loads multiple configs and merge then in one. If a config option defined in multiple places (config file,
@@ -138,6 +149,7 @@ def __new__(cls, *args, **kwargs) -> "Config":
                 "locks": self.storage_root_path / "locks",
             },
             "auth": {
+                "http_auth_type": HTTP_AUTH_TYPE.SESSION_OR_TOKEN,  # token | session | session_or_token
                 "http_auth_enabled": False,
                 "http_permanent_session_lifetime": datetime.timedelta(days=31),
                 "username": "mindsdb",
@@ -283,6 +295,12 @@ def prepare_env_config(self) -> None:
             self._env_config["auth"]["password"] = http_password
         # endregion
 
+        http_auth_type = os.environ.get("MINDSDB_HTTP_AUTH_TYPE", "").lower()
+        if http_auth_type in dataclasses.astuple(HTTP_AUTH_TYPE):
+            self._env_config["auth"]["http_auth_type"] = http_auth_type
+        elif http_auth_type != "":
+            raise ValueError(f"Wrong value of env var MINDSDB_HTTP_AUTH_TYPE={http_auth_type}")
+
         # region logging
         if os.environ.get("MINDSDB_LOG_LEVEL", "") != "":
             self._env_config["logging"]["handlers"]["console"]["level"] = os.environ["MINDSDB_LOG_LEVEL"]