🎨 Adds authentication for new style dynamic services and platform vendor services ⚠️

[GitHK]

⚠️ devops

• followup issue for OPS Add "manual" service to a new stack called "vendors" osparc-ops-environments#830

What do these changes do?

Traefik's forwardauth middleware is used to authenticate requests based on cookies. This allows for services under the same subdomain as osparc.io to no longer be shown if the user is not logged in.

• 🎨 extended webserver to share cookies with all it's subdomains to enable cookie authentication across subdomains (from my research this is safe since there is no way for a malicious actor to overwrite the cookie's domain)
• ✨ added /v0/auth:check to webserver which allows Traefik's middleware to check authentication of incoming requests with negligible impact on performance
• 🎨 new style dynamic services require login
• ✨ added vendor services stack
• ✨ added manual service inside vendor stack with possibility to configure image domain and replicas (for turning on and off)

Side effects for new style dynamic services

After a service is opened in a browser, users could typically copy the UUID.services.osparc.io address and open it somewhere else. Under the following conditions this is no longer possible:

• a new "private" window is opened
• opened in a different browser
• if the portal was opened on Safari in Private Browsing mode all tabs in the window do not share any information (normal mode still works)

Side effect login behaviour change

This has no impact on any of our deployments.

Some tests were running on http://127.0.0.1:9081. This no longer works, the cookie is not set because .127.0.0.1 is not a valid domain name for the cookie.
Instead use http://127.0.0.1.nip.io:9081 which sets the cookie's domain to .127.0.0.1.nip.io which is a valid domain.

Related issue/s

• make s4l manual available to logged in users osparc-issues#1504

How to test

Dev-ops checklist

• No ENV changes or I properly updated ENV (read the instruction)

[codecov]

Codecov Report

Attention: Patch coverage is 86.66667% with 4 lines in your changes missing coverage. Please review.

Project coverage is 88.1%. Comparing base (cafbf96) to head (cf4b23f).
Report is 621 commits behind head on master.

Files with missing lines	Patch %	Lines
...er/src/simcore_service_webserver/session/plugin.py	80.0%	4 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##           master   #6484      +/-   ##
=========================================
+ Coverage    84.5%   88.1%    +3.5%     
=========================================
  Files          10    1540    +1530     
  Lines         214   63138   +62924     
  Branches       25    2058    +2033     
=========================================
+ Hits          181   55647   +55466     
- Misses         23    7176    +7153     
- Partials       10     315     +305     

Flag	Coverage Δ
integrationtests	64.7% <80.0%> (?)
unittests	86.1% <83.3%> (+1.5%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...ctor_v2/core/dynamic_services_settings/__init__.py	100.0% <100.0%> (ø)
...ules/dynamic_sidecar/docker_service_specs/proxy.py	100.0% <100.0%> (ø)
.../simcore_service_webserver/login/_auth_handlers.py	97.3% <100.0%> (ø)
...er/src/simcore_service_webserver/session/plugin.py	87.8% <80.0%> (ø)

... and 1486 files with indirect coverage changes

[matusdrobuliak66]

👍

[pcrespov]

Thx. Looks real good. I left some suggestions

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[jsaq007]

👍🏼