software/theia: require credentials to serve the manifest

favicon, manifest and service worker do not need to be public, for manifest it's required to explicitly make the link use credential.

software/theia: require credentials to serve the manifest
favicon, manifest and service worker do not need to be public, for manifest it's required to explicitly make the link use credential.
91cf2d1f · Jérome Perrin · 81775aec · 91cf2d1f · 91cf2d1f · 91cf2d1f
Commit 91cf2d1f authored Oct 05, 2023 by Jérome Perrin
5 changed files
--- a/component/theia/buildout.hash.cfg
+++ b/component/theia/buildout.hash.cfg
@@ -15,7 +15,7 @@

 [preloadTemplate.html]
 _update_hash_filename_ = preloadTemplate.html
-md5sum = 6343592161a349bb40e0de16ce67aa51
+md5sum = a27e2cb34e4efe2ed0d4698f505554f0

 [yarn.lock]
 _update_hash_filename_ = yarn.lock

--- a/component/theia/preloadTemplate.html
+++ b/component/theia/preloadTemplate.html
@@ -7,6 +7,7 @@
  link = document.createElement('link');
  link.rel = "manifest";
  link.href = "/theia.webmanifest";
+  link.crossOrigin = "use-credentials";
  document.head.appendChild(link);

  if ('serviceWorker' in navigator) {

--- a/software/theia/buildout.hash.cfg
+++ b/software/theia/buildout.hash.cfg
@@ -15,7 +15,7 @@

 [instance-theia]
 _update_hash_filename_ = instance-theia.cfg.jinja.in
-md5sum = c484bba770c6404ba0a5b2a958b07a68
+md5sum = b31e74f018ae92607f4ff63984b33c7a

 [instance]
 _update_hash_filename_ = instance.cfg.in

--- a/software/theia/instance-theia.cfg.jinja.in
+++ b/software/theia/instance-theia.cfg.jinja.in
@@ -260,15 +260,18 @@ content =
  frontend app
    log global
    bind $${:ip}:$${:port} ssl crt $${frontend-instance-certificate:cert-file} alpn h2,http/1.1
-    # writing twice the same ACL is doing OR
    acl is_public path_beg /public/
-    acl is_public path /$${frontend-instance-favicon.ico:filename}
-    acl is_public path /$${frontend-instance-theia.webmanifest:filename}
-    acl is_public path /$${frontend-instance-theia-serviceworker.js:filename}
    acl auth_ok http_auth(basic-auth-list)
+    # writing twice the same ACL is doing OR
+    acl is_static path_beg /$${frontend-instance-fonts:folder-name}
+    acl is_static path_beg /$${frontend-instance-slapos.css:folder-name}
+    acl is_static path /$${frontend-instance-logo:filename}
+    acl is_static path /$${frontend-instance-favicon.ico:filename}
+    acl is_static path /$${frontend-instance-theia.webmanifest:filename}
+    acl is_static path /$${frontend-instance-theia-serviceworker.js:filename}
    # No authentication for public folder
    http-request auth unless auth_ok || is_public
-    use_backend static if { path_beg /$${frontend-instance-fonts:folder-name} } || { path_beg /$${frontend-instance-slapos.css:folder-name} } || { path /$${frontend-instance-logo:filename} } || is_public
+    use_backend static if is_static || is_public
    default_backend nodejs

  backend nodejs

--- a/software/theia/test/test.py
+++ b/software/theia/test/test.py
@@ -161,10 +161,22 @@ class TestTheia(TheiaTestCase):
    self.assertIn('test_file', get('/public/'))
    self.assertEqual('hello', get('/public/test_file'))

-    # there's a (not empty) favicon (no need for authentication)
-    resp = self.get(urljoin(url, '/favicon.ico'))
+    # favicon is not empty
+    self.get(urljoin(url, '/favicon.ico'), requests.codes.unauthorized)
+    resp = self.get(urljoin(authenticated_url, '/favicon.ico'))
+    resp.raise_for_status()
    self.assertTrue(resp.raw)

+    self.get(urljoin(url, '/theia-serviceworker.js'), requests.codes.unauthorized)
+    resp = self.get(urljoin(authenticated_url, '/theia-serviceworker.js'))
+    resp.raise_for_status()
+    self.assertTrue(resp.raw)
+
+    self.get(urljoin(url, '/theia.webmanifest'), requests.codes.unauthorized)
+    resp = self.get(urljoin(authenticated_url, '/theia.webmanifest'))
+    resp.raise_for_status()
+    self.assertIn('Theia SlapOS', resp.text)
+
    # there is a CSS referencing fonts
    css_text = self.get(urljoin(authenticated_url, '/css/slapos.css')).text
    css_urls = re.findall(r'url\([\'"]+([^\)]+)[\'"]+\)', css_text)