ui: add top-level LoginContainer: require login before rendering anything#25005
ui: add top-level LoginContainer: require login before rendering anything#25005craig[bot] merged 4 commits intocockroachdb:masterfrom
Conversation
|
This change is |
There was a problem hiding this comment.
TODO: move this into redux store
There was a problem hiding this comment.
Local storage might be an answer, with a fallback on authorization failure. A quick outline:
- This needs to be in the redux state anyway - move this there.
- After creating the store for the actual page, initialize it with one-time code that checks local storaage and, if it finds the logged-in flat, updates the redux state before the initial rendering.
- When the login method actually succeeds, write to this local state after updating the redux state.
- If a user method gets an authorization error, we need to clear this logged-in state if it exists.
You might see if there is some blessed method of synchronizing pieces of the redux state with local storage, but I doubt it's especially tricky. #4 seems like the hard part.
There was a problem hiding this comment.
Didn't think of local storage, but it makes sense. My plan had been to make index.html a Go template into which I would dump window.loggedInUser = {{ loggedInUser }} or similar. However, index.html is not a nice little static file I can make into a template; it's generated through webpack (ultimately from this: https://github.com/jaketrent/html-webpack-template/blob/master/index.ejs)
So, local storage could work nicely. Will probably move forward with that unless @couchand has objections.
There was a problem hiding this comment.
The general idea here is sound to me; with this method, we also don't need to remember any query params or URL paths, since this just renders in place regardless of the path. I think it's a good place to start.
There was a problem hiding this comment.
@couchand said IRL he thinks this should redirect to /login, not just display the login page on whatever URL you're trying to go to. I think the argument is that with the redirect, we see /login in metrics.
Then we do have to remember where you're trying to go somehow, with a GET parameter or something. (maybe it can be stuffed in the state of LoginContainer somehow, if that's still there).
5c6dd3e to
85000c2
Compare
|
K, changed to use Redux. This also now depends on #25195, which sets Also, need to figure out how to test this. |
|
Reviewed 7 of 7 files at r6. pkg/ui/src/redux/login.ts, line 14 at r6 (raw file):
probably pkg/ui/src/redux/login.ts, line 19 at r6 (raw file):
likewise pkg/ui/src/redux/login.ts, line 21 at r6 (raw file):
suggest keeping the names of these props consistent with pkg/ui/src/redux/login.ts, line 99 at r6 (raw file):
suggest passing two functions to pkg/ui/src/views/login/loginContainer.tsx, line 30 at r1 (raw file): Previously, vilterp (Pete Vilter) wrote…
The usual method is a query parameter with the URL to return to. Need to consider the impact of URL redactions as well. Comments from Reviewable |
|
Review status: 7 of 11 files reviewed at latest revision, 7 unresolved discussions, some commit checks failed. pkg/ui/src/views/login/loginContainer.tsx, line 30 at r1 (raw file): Previously, couchand (Andrew Couch) wrote…
Hm yes, I guess we'd need to make sure to run the value of the query param through redaction before sending to segment. Comments from Reviewable |
|
Review status: 7 of 11 files reviewed at latest revision, 7 unresolved discussions, some commit checks failed. pkg/ui/src/redux/login.ts, line 99 at r6 (raw file): Previously, couchand (Andrew Couch) wrote…
Oh good idea, I didn't know you could do that. I think we do this wrong other places (e.g. CachedDataReducer), resulting in swallowing JS errors as if they're API call errors Comments from Reviewable |
213d712 to
8060345
Compare
|
Added a login indicator on the side. Says "insecure mode" if login is not enabled. (currently, enabled is
|
fcd015c to
99687e2
Compare
|
Updated to redirect. Things remaining here:
|
|
Tested redirect; works nicely! Working on logout. |
…hing Release note: None
This allows us to have one object representing both "is login enabled?" and "does this user have access?" state questions. Release note: None
Previously, the login page was swapped in for the content of a page if a user was not logged in. This changes the behavior to instead redirect to a free standing login page. The original URL accessed is stashed in the query parameter redirectTo, and after authentication the user is returned to that page. Release note: None.
Prevent URLs from slipping though the analytics redactions if the are encoded in a query parameter, as with the login redirect param. Release note: None
|
Reviewed 1 of 7 files at r6, 4 of 8 files at r7, 3 of 5 files at r8, 6 of 6 files at r9, 4 of 4 files at r10. pkg/ui/src/redux/login.ts, line 14 at r6 (raw file): Previously, couchand (Andrew Couch) wrote…
Done. pkg/ui/src/redux/login.ts, line 19 at r6 (raw file): Previously, couchand (Andrew Couch) wrote…
Done. pkg/ui/src/redux/login.ts, line 21 at r6 (raw file): Previously, couchand (Andrew Couch) wrote…
I guess this would change to pkg/ui/src/redux/login.ts, line 99 at r6 (raw file): Previously, vilterp (Pete Vilter) wrote…
Done. pkg/ui/src/views/login/loginContainer.tsx, line 8 at r1 (raw file): Previously, vilterp (Pete Vilter) wrote…
Done. pkg/ui/src/views/login/loginContainer.tsx, line 15 at r1 (raw file): Previously, vilterp (Pete Vilter) wrote…
Done. pkg/ui/src/views/login/loginContainer.tsx, line 30 at r1 (raw file): Previously, vilterp (Pete Vilter) wrote…
Done. Comments from Reviewable |
|
bors r+ |
25005: ui: add top-level LoginContainer: require login before rendering anything r=couchand a=vilterp Depends on #25057 Touches #24939  Shown above: 1. go to admin UI; see login screen 2. error message when you type in the wrong password 3. you can't hit an authenticated endpoint because you don't have a valid session (this checking is turned on by #24944, only in secure mode) 4. once you login with the right password, you can see the UI (the temporary "connection lost" banner shouldn't be there) 5. now you (and the UI itself) can hit endpoints, because you have a valid session Todos: - [ ] redirect to login page instead of current wrapper component switching thing - [ ] logout - [ ] logout button (make API call; redirect to login & blow away redux store) - [ ] log out other tabs (if they get a 403, redirect to login & blow away redux store) - [ ] styling Release note: None 25628: distsql: support lookup join on secondary index r=solongordon a=solongordon joinReader now supports lookup joins on secondary indexes. This was a trivial change for queries where all the output columns are included in the secondary index. I just modified the physical planner to specify the secondary index in the JoinReaderSpec and removed checks which prevented secondary indexes from being used. The more complicated situation is when we want to do a lookup join against a non-covering index. In this case, the logical planner plans an index join before the inner join, but we want to perform the lookup join first. We now handle this by only planning the lookup join during physical planning, not the index join. During execution, the joinReader detects that there are output columns not covered by the secondary index, and it performs primary index lookups as necessary to retrieve the additional columns. Fixes #25431 Co-authored-by: Pete Vilter <vilterp@cockroachlabs.com> Co-authored-by: Andrew Couch <andrew@cockroachlabs.com> Co-authored-by: Solon Gordon <solon@cockroachlabs.com>
Build succeeded |
In cockroachdb#25005 I accidentally let the login indicator leak even if the environment variable wasn't set. This corrects that issue. Release note: None
In cockroachdb#25005 I accidentally let the login indicator leak even if the environment variable wasn't set. This corrects that issue. Release note: None Fixes: cockroachdb#25843 Co-authored-by: Pete Vilter <vilterp@cockroachlabs.com>
25676: storage: Fix flaky TestReplicaNotLeaseHolderError r=a-robinson a=a-robinson Caused by the proactive renewal of expiration-based leases (see #25322 and #25625 for more detail). Fixes #25731 Release note: None I'm not sure how many more of these flakes to expect over the next couple weeks. I'm currently running `stressrace` on all of `pkg/storage` on a gceworker to try and ferret them out if there are any more, but there's no guarantee that'll find all of them. 25816: ui: don't show login indicator unless login is enabled r=couchand a=couchand In #25005 I accidentally let the login indicator leak even if the environment variable wasn't set. This corrects that issue. Release note: None Fixes: #25843 25853: dep: Bump grpc-go to include perf improvements and data race fix r=a-robinson a=a-robinson Un-reverts #24883 to include grpc/grpc-go#2074 This also removed hdrhistogram-writer because it apparently isn't used anymore. Release note: None Maybe we want to wait until they put this into a more formal release SHA, though. Co-authored-by: Alex Robinson <alexdwanerobinson@gmail.com> Co-authored-by: Andrew Couch <andrew@cockroachlabs.com>
Depends on #25057
Touches #24939
Shown above:
Todos:
Release note: None