Fix controller oauth2 support in shared deployments

charts/simpipe/templates/deployment-controller.yaml

@@ -59,7 +59,9 @@ spec:
             - name: PROMETHEUS_SERVER_URL
               value: {{ .Values.controller.prometheus.serverUrl | quote }}
             - name: NODE_ENV
-              value: development
+              value: {{ .Values.controller.nodeEnv | quote }}
+            - name: OAUTH2_ISSUER_ENDPOINT
+              value: {{ .Values.controller.oauth2.issuerEndpoint | quote }}
           ports:
             - name: http
               containerPort: {{ .Values.controller.service.port }}

charts/simpipe/values.yaml

@@ -31,6 +31,9 @@ controller:
     endpoint: http://simpipe-argo-workflows-server:2746/
   prometheus:
     serverUrl: http://prometheus-operated:9090
+  nodeEnv: development
+  oauth2:
+    issuerEndpoint: ""
 
   serviceAccount:
     # Annotations to add to the service account

controller/src/server/auth-jwt-middleware.ts

@@ -62,17 +62,24 @@ const fixedLocalAuth: Auth = {
 async function hybridAuthJwtMiddlewareAsync(
   request: Request, response: Response, next: NextFunction,
 ): Promise<void> {
+  // Load the Authorisation header
+  // and that the header is a Bearer token
+  const authHeader = request.headers.authorization;
+
   // If we are in development mode, we allow a fixed local user
   if (oauth2IssuerEndpoint === undefined) {
+    // Throw an error if the user is trying to use a bearer token
+    // It might be a dangerous mistake
+    if (authHeader) {
+      response.sendStatus(400);
+      return;
+    }
+
     (request as unknown as { auth: Auth }).auth = fixedLocalAuth;
     next();
     return;
   }
 
-  // Load the Authorisation header
-  // and that the header is a Bearer token
-  const authHeader = request.headers.authorization;
-
   // We allow anonymous access to the API
   if (!authHeader) {
     next();