Skip to content

Add web_ide_oauth feature flag

Paul Slaughter requested to merge ps-introduce-web-ide-oauth into master

What does this MR do and why?

This MR introduces a web_ide_oauth development feature flag and basic implementation for this typefeature featureenhancement.

context: Currently the Web IDE uses cookie auth to authenticate with the API requests. It does this by working around the VSCode extension sandbox through "mediator commands". These "mediator commands" would be a security risk if we enabled the VSCode extension marketplace.

For us to securely enable the VSCode extension marketplace and use baked-in VSCode features like settings sync, we need to adopt OAuth over cookie-based authentication.

Screenshots or screen recordings

20231201_oauth_demo

How to set up and validate locally

  1. In rails console enable the web_ide_oauth feature flag

    Feature.enable(:web_ide_oauth)
  2. Visit any project page and click Edit then Web IDE

  3. The Web IDE should load up seamlessly. Meanwhile, you should notice an "Authentication..." page pop up which is part of the OAuth handshake.

  4. When opening a file, see the raw XHR request and confirm that the OAuth token is included in the Authorization request header

    Screenshot_2023-12-01_at_12.32.01_AM

Database Review Queries

For application_settings.update!(web_ide_oauth_application: application)

UPDATE "application_settings" SET "updated_at" = '2023-12-01 02:05:01.198115', "web_ide_oauth_application_id" = 27 
WHERE "application_settings"."id" = 1
/*application:web,correlation_id:01HGHHYGK63AS8AB81WMHPSDR7,endpoint_id:IdeController#index,db_config_name:main,line:/lib/gitlab/web_ide/default_oauth_application.rb:33:in `block in ensure_oauth_application!'*/

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Paul Slaughter

Merge request reports

Loading