diff --git a/charts/simpipe/templates/deployment-controller.yaml b/charts/simpipe/templates/deployment-controller.yaml index 945bd353..59d82bcf 100644 --- a/charts/simpipe/templates/deployment-controller.yaml +++ b/charts/simpipe/templates/deployment-controller.yaml @@ -59,7 +59,9 @@ spec: - name: PROMETHEUS_SERVER_URL value: {{ .Values.controller.prometheus.serverUrl | quote }} - name: NODE_ENV - value: development + value: {{ .Values.controller.nodeEnv | quote }} + - name: OAUTH2_ISSUER_ENDPOINT + value: {{ .Values.controller.oauth2.issuerEndpoint | quote }} ports: - name: http containerPort: {{ .Values.controller.service.port }} diff --git a/charts/simpipe/values.yaml b/charts/simpipe/values.yaml index db02ac71..190d6c67 100644 --- a/charts/simpipe/values.yaml +++ b/charts/simpipe/values.yaml @@ -31,6 +31,9 @@ controller: endpoint: http://simpipe-argo-workflows-server:2746/ prometheus: serverUrl: http://prometheus-operated:9090 + nodeEnv: development + oauth2: + issuerEndpoint: "" serviceAccount: # Annotations to add to the service account diff --git a/controller/src/server/auth-jwt-middleware.ts b/controller/src/server/auth-jwt-middleware.ts index 78469b8d..e7333c38 100644 --- a/controller/src/server/auth-jwt-middleware.ts +++ b/controller/src/server/auth-jwt-middleware.ts @@ -62,17 +62,24 @@ const fixedLocalAuth: Auth = { async function hybridAuthJwtMiddlewareAsync( request: Request, response: Response, next: NextFunction, ): Promise { + // Load the Authorisation header + // and that the header is a Bearer token + const authHeader = request.headers.authorization; + // If we are in development mode, we allow a fixed local user if (oauth2IssuerEndpoint === undefined) { + // Throw an error if the user is trying to use a bearer token + // It might be a dangerous mistake + if (authHeader) { + response.sendStatus(400); + return; + } + (request as unknown as { auth: Auth }).auth = fixedLocalAuth; next(); return; } - // Load the Authorisation header - // and that the header is a Bearer token - const authHeader = request.headers.authorization; - // We allow anonymous access to the API if (!authHeader) { next();