Split auth away from default server

Author: msujew

package.json

@@ -61,7 +61,6 @@
     "@vscode/vscode-languagedetection": "1.0.15",
     "applicationinsights": "1.0.8",
     "chokidar": "3.5.1",
-    "express": "^4.17.1",
     "graceful-fs": "4.2.6",
     "http-proxy-agent": "^2.1.0",
     "https-proxy-agent": "^2.2.3",

src/vs/server/browser/workbench/login.html

@@ -161,16 +161,16 @@
 		<div class="card-box">
 			<div class="header">
 				<h1 class="main">Welcome to VSCode Server</h1>
-				<div class="sub">Please log in below.</div>
+				<div class="sub">Please log in below. If you haven't set a password on startup, an automatically generated password will be visible in the server logs.</div>
 			</div>
 			<div class="content">
 				<form class="login-form" action="/login" method="post">
 					<input class="user" type="text" autocomplete="username" />
 					<input id="base" type="hidden" name="base" value="/" />
 					<div class="field">
-						<input required autofocus class="password" type="password" placeholder="PASSWORD" name="password"
+						<input required autofocus class="password" type="password" placeholder="Enter password..." name="password"
 							autocomplete="current-password" />
-						<input class="submit -button" value="SUBMIT" type="submit" />
+						<input class="submit -button" value="Login" type="submit" />
 					</div>
 				</form>
 			</div>

src/vs/server/node/args.ts

@@ -1,3 +1,7 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
 import * as path from 'path';
 import * as os from 'os';
 import { URI } from 'vs/base/common/uri';
@@ -8,13 +12,11 @@ import product from 'vs/platform/product/common/product';
 export interface ServerParsedArgs extends NativeParsedArgs {
 	port?: string
 	password?: string
-	hashedPassword?: string
 }
 const SERVER_OPTIONS: OptionDescriptions<Required<ServerParsedArgs>> = {
 	...OPTIONS,
 	port: { type: 'string' },
-	password: { type: 'string' },
-	hashedPassword: { type: 'string' }
+	password: { type: 'string' }
 };
 
 export const devMode = !!process.env['VSCODE_DEV'];

src/vs/server/node/auth-http.ts

@@ -0,0 +1,70 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as path from 'path';
+import * as http from 'http';
+import { ILogService } from 'vs/platform/log/common/log';
+import { parse } from 'querystring';
+import { args } from 'vs/server/node/args';
+import { authenticated, generateAndSetPassword, handlePasswordValidation } from 'vs/server/node/auth';
+import { APP_ROOT, serveError, serveFile } from 'vs/server/node/server.main';
+
+const LOGIN = path.join(APP_ROOT, 'out', 'vs', 'server', 'browser', 'workbench', 'login.html');
+
+export async function handleServerRequest(pathname: string | null, req: http.IncomingMessage, res: http.ServerResponse, logService: ILogService): Promise<boolean> {
+	if (args.password === undefined) {
+		await generateAndSetPassword(logService);
+	}
+	const auth = await authenticated(args, req);
+	if (!auth) {
+		if (pathname === '/') {
+			serveFile(logService, req, res, LOGIN);
+			return true;
+		}
+		if (pathname === '/login') {
+			const password = (await collectRequestData(req)).password;
+			const { isPasswordValid, hashedPassword } = await handlePasswordValidation({
+				passwordFromRequestBody: password,
+				passwordFromArgs: args.password,
+			});
+
+			if (isPasswordValid) {
+				res.writeHead(302, {
+					'Location': '/',
+					'Set-Cookie': `key=${hashedPassword}`,
+					'Content-Type': 'text/plain'
+				});
+			} else {
+				res.writeHead(302, {
+					'Location': '/',
+					'Content-Type': 'text/plain'
+				});
+			}
+			res.end('');
+			return true;
+		}
+		serveError(req, res, 401, 'Unauthorized');
+		return true;
+	}
+	return false;
+}
+
+function collectRequestData(request: http.IncomingMessage): Promise<Record<string, string>> {
+	return new Promise(resolve => {
+		const FORM_URLENCODED = 'application/x-www-form-urlencoded';
+		if (request.headers['content-type'] === FORM_URLENCODED) {
+			let body = '';
+			request.on('data', chunk => {
+				body += chunk.toString();
+			});
+			request.on('end', () => {
+				const item = parse(body) as Record<string, string>;
+				resolve(item);
+			});
+		}
+		else {
+			resolve({});
+		}
+	});
+}

src/vs/server/node/auth.ts

@@ -1,71 +1,85 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Gitpod. All rights reserved.
+ *--------------------------------------------------------------------------------------------*/
+
+import * as http from 'http';
 import * as crypto from 'crypto';
-import * as express from 'express';
-import { ServerParsedArgs } from 'vs/server/node/args';
-
-/** Ensures that the input is sanitized by checking
- * - it's a string
- * - greater than 0 characters
- * - trims whitespace
- */
+import { args, ServerParsedArgs } from 'vs/server/node/args';
+import { ILogService } from 'vs/platform/log/common/log';
+
 export function sanitizeString(str: string): string {
-	// Very basic sanitization of string
-	// Credit: https://stackoverflow.com/a/46719000/3015595
 	return typeof str === 'string' && str.trim().length > 0 ? str.trim() : '';
 }
 
-/**
- * Return true if authenticated via cookies.
- */
-export const authenticated = async (args: ServerParsedArgs, req: express.Request): Promise<boolean> => {
-	if (!args.password && !args.hashedPassword) {
+function parseCookies(request: http.IncomingMessage): Record<string, string> {
+	const cookies: Record<string, string> = {},
+		rc = request.headers.cookie;
+
+	// eslint-disable-next-line code-no-unused-expressions
+	rc && rc.split(';').forEach(cookie => {
+		let parts = cookie.split('=');
+		if (parts.length > 0) {
+			const name = parts.shift()!.trim();
+			let value = decodeURI(parts.join('='));
+			cookies[name] = value;
+		}
+	});
+
+	return cookies;
+}
+
+export const authenticated = async (args: ServerParsedArgs, req: http.IncomingMessage): Promise<boolean> => {
+	if (!args.password) {
 		return true;
 	}
+	const cookies = parseCookies(req);
 	const isCookieValidArgs: IsCookieValidArgs = {
-		cookieKey: sanitizeString(req.cookies.key),
+		cookieKey: sanitizeString(cookies.key),
 		passwordFromArgs: args.password || ''
 	};
 
 	return await isCookieValid(isCookieValidArgs);
 };
 
-type PasswordValidation = {
+interface PasswordValidation {
 	isPasswordValid: boolean
 	hashedPassword: string
-};
+}
 
-type HandlePasswordValidationArgs = {
-	/** The password provided by the user */
+interface HandlePasswordValidationArgs {
 	passwordFromRequestBody: string | undefined
-	/** The password set in PASSWORD or config */
 	passwordFromArgs: string | undefined
-};
+}
 
 function safeCompare(a: string, b: string): boolean {
-	if (b.length > a.length) {
-		a = a.padEnd(b.length, '0');
-	}
-	if (a.length > b.length) {
-		b = b.padEnd(a.length, '0');
+	return a.length === b.length && crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+
+export async function generateAndSetPassword(logService: ILogService, length = 24): Promise<void> {
+	if (args.password || !length) {
+		return;
 	}
-	return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+	const password = await generatePassword(length);
+	args.password = password;
+	logService.info(`Automatically generated password\r\n        ${password}`);
 }
 
-export const generatePassword = async (length = 24): Promise<string> => {
+export async function generatePassword(length = 24): Promise<string> {
 	const buffer = Buffer.alloc(Math.ceil(length / 2));
 	await new Promise(resolve => {
 		crypto.randomFill(buffer, (_, buf) => resolve(buf));
 	});
 	return buffer.toString('hex').substring(0, length);
-};
+}
 
-export const hash = (str: string): string => {
+export function hash(str: string): string {
 	return crypto.createHash('sha256').update(str).digest('hex');
-};
+}
 
-export const isHashMatch = (password: string, hashPassword: string) => {
-	const hashedWithLegacy = hash(password);
-	return safeCompare(hashedWithLegacy, hashPassword);
-};
+export function isHashMatch(password: string, hashPassword: string): boolean {
+	const hashed = hash(password);
+	return safeCompare(hashed, hashPassword);
+}
 
 export async function handlePasswordValidation({
 	passwordFromArgs,