Implement basic authentification

Author: msujew

src/vs/server/browser/workbench/login.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<html lang="en">
+	<head>
+		<meta charset="utf-8" />
+		<title>vscode-web-server login</title>
+		<style>
+			form {
+				position: absolute;
+				left: 50%;
+				top: 50%;
+				-webkit-transform: translate(-50%, -50%);
+				transform: translate(-50%, -50%);
+			}
+			.text {
+				max-width: 400px;
+			}
+			.password {
+				width: 300px;
+			}
+		</style>
+	</head>
+	<body>
+		<form action="/" method="post">
+			<input style="display: none;" type="text" autocomplete="username" />
+			<p class="text">Please login with your password. If you haven't set one yourself, you can find it in the server logs.</p>
+			<div class="field">
+				<input class="password" required autofocus type="password" placeholder="Enter password..." name="password" autocomplete="current-password" />
+				<input value="Login" type="submit" />
+			</div>
+		</form>
+	</body>
+</html>

src/vs/server/node/args.ts

@@ -0,0 +1,24 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as path from 'path';
+import * as os from 'os';
+import { URI } from 'vs/base/common/uri';
+import { NativeParsedArgs } from 'vs/platform/environment/common/argv';
+import { OptionDescriptions, OPTIONS, parseArgs } from 'vs/platform/environment/node/argv';
+import product from 'vs/platform/product/common/product';
+
+export interface ServerParsedArgs extends NativeParsedArgs {
+	port?: string
+	password?: string
+}
+const SERVER_OPTIONS: OptionDescriptions<Required<ServerParsedArgs>> = {
+	...OPTIONS,
+	port: { type: 'string' },
+	password: { type: 'string' }
+};
+
+export const devMode = !!process.env['VSCODE_DEV'];
+export const args = parseArgs(process.argv, SERVER_OPTIONS);
+args['user-data-dir'] = URI.file(path.join(os.homedir(), product.dataFolderName)).fsPath;

src/vs/server/node/auth-http.ts

@@ -0,0 +1,62 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as path from 'path';
+import * as http from 'http';
+import { ILogService } from 'vs/platform/log/common/log';
+import { parse } from 'querystring';
+import { args } from 'vs/server/node/args';
+import { authenticated, generateAndSetPassword, handlePasswordValidation } from 'vs/server/node/auth';
+import { APP_ROOT, serveFile } from 'vs/server/node/server.main';
+
+const LOGIN = path.join(APP_ROOT, 'out', 'vs', 'server', 'browser', 'workbench', 'login.html');
+
+export async function handleVerification(req: http.IncomingMessage, res: http.ServerResponse | undefined, logService: ILogService): Promise<boolean> {
+	if (args.password === undefined) {
+		await generateAndSetPassword(logService);
+	}
+	const auth = await authenticated(args, req);
+	if (!auth && res) {
+		const password = (await collectRequestData(req)).password;
+		if (password !== undefined) {
+			const { valid, hashed } = await handlePasswordValidation({
+				reqPassword: password,
+				argsPassword: args.password,
+			});
+
+			if (valid) {
+				res.writeHead(302, {
+					'Set-Cookie': `key=${hashed}; HttpOnly`,
+					'Location': '/'
+				});
+				res.end();
+			} else {
+				serveFile(logService, req, res, LOGIN);
+			}
+		} else {
+			serveFile(logService, req, res, LOGIN);
+		}
+		return false;
+	}
+	return auth;
+}
+
+function collectRequestData(request: http.IncomingMessage): Promise<Record<string, string>> {
+	return new Promise(resolve => {
+		const FORM_URLENCODED = 'application/x-www-form-urlencoded';
+		if (request.headers['content-type'] === FORM_URLENCODED) {
+			let body = '';
+			request.on('data', chunk => {
+				body += chunk.toString();
+			});
+			request.on('end', () => {
+				const item = parse(body) as Record<string, string>;
+				resolve(item);
+			});
+		}
+		else {
+			resolve({});
+		}
+	});
+}

src/vs/server/node/auth.ts

@@ -0,0 +1,94 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as http from 'http';
+import * as crypto from 'crypto';
+import { args, ServerParsedArgs } from 'vs/server/node/args';
+import { ILogService } from 'vs/platform/log/common/log';
+
+export function sanitizeString(str: string): string {
+	return typeof str === 'string' && str.trim().length > 0 ? str.trim() : '';
+}
+
+export function parseCookies(request: http.IncomingMessage): Record<string, string> {
+	const cookies: Record<string, string> = {};
+	const rc = request.headers.cookie;
+
+	if (rc) {
+		rc.split(';').forEach(cookie => {
+			let parts = cookie.split('=');
+			if (parts.length > 0) {
+				const name = parts.shift()!.trim();
+				let value = decodeURI(parts.join('='));
+				cookies[name] = value;
+			}
+		});
+	}
+
+	return cookies;
+}
+
+export async function authenticated(args: ServerParsedArgs, req: http.IncomingMessage): Promise<boolean> {
+	if (!args.password) {
+		return true;
+	}
+	const cookies = parseCookies(req);
+	return isHashMatch(args.password || '', sanitizeString(cookies.key));
+};
+
+interface PasswordValidation {
+	valid: boolean
+	hashed: string
+}
+
+interface HandlePasswordValidationArgs {
+	reqPassword: string | undefined
+	argsPassword: string | undefined
+}
+
+function safeCompare(a: string, b: string): boolean {
+	return a.length === b.length && crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+
+export async function generateAndSetPassword(logService: ILogService, length = 24): Promise<void> {
+	if (args.password || !length) {
+		return;
+	}
+	const password = await generatePassword(length);
+	args.password = password;
+	logService.info(`Automatically generated password\r\n        ${password}`);
+}
+
+export async function generatePassword(length = 24): Promise<string> {
+	const buffer = Buffer.alloc(Math.ceil(length / 2));
+	await new Promise(resolve => {
+		crypto.randomFill(buffer, (_, buf) => resolve(buf));
+	});
+	return buffer.toString('hex').substring(0, length);
+}
+
+export function hash(str: string): string {
+	return crypto.createHash('sha256').update(str).digest('hex');
+}
+
+export function isHashMatch(password: string, hashPassword: string): boolean {
+	const hashed = hash(password);
+	return safeCompare(hashed, hashPassword);
+}
+
+export async function handlePasswordValidation({ argsPassword: passwordFromArgs, reqPassword: passwordFromRequestBody }: HandlePasswordValidationArgs): Promise<PasswordValidation> {
+	if (passwordFromRequestBody) {
+		const valid = passwordFromArgs ? safeCompare(passwordFromRequestBody, passwordFromArgs) : false;
+		const hashed = hash(passwordFromRequestBody);
+		return {
+			valid,
+			hashed
+		};
+	}
+
+	return {
+		valid: false,
+		hashed: ''
+	}
+}