feat(ui): add opt-in protection for the DevSpace UI

- add token-based auth for sensitive UI routes and browser handoff
- wire the UI client to persist and send the auth token on protected requests
- add `--protect-ui` so auth and sensitive var redaction are opt-in and the default UI behavior stays unchanged
- expose the UI protection mode in server discovery and reuse only matching local UI servers
- cover protected and unprotected server behavior with tests

Signed-off-by: Ryan Swanson <ryan.swanson@loft.sh>

Author: zerbitx

assets/assets.go

@@ -11,6 +11,7 @@ type GlobalFlags struct {
 	NoWarn                   bool
 	NoColors                 bool
 	Debug                    bool
+	ProtectUI                bool
 	DisableProfileActivation bool
 	SwitchContext            bool
 	InactivityTimeout        int
@@ -48,6 +49,7 @@ func SetGlobalFlags(flags *flag.FlagSet) *GlobalFlags {
 	flags.BoolVar(&globalFlags.NoWarn, "no-warn", false, "If true does not show any warning when deploying into a different namespace or kube-context than before")
 	flags.BoolVar(&globalFlags.NoColors, "no-colors", false, "Do not show color highlighting in log output. This avoids invisible output with different terminal background colors")
 	flags.BoolVar(&globalFlags.Debug, "debug", false, "Prints the stack trace if an error occurs")
+	flags.BoolVar(&globalFlags.ProtectUI, "protect-ui", false, "Enable UI protections such as auth checks for sensitive routes and redaction of sensitive config values")
 	flags.BoolVar(&globalFlags.Silent, "silent", false, "Run in silent mode and prevents any devspace log output except panics & fatals")
 
 	flags.StringSliceVarP(&globalFlags.Profiles, "profile", "p", []string{}, "The DevSpace profiles to apply. Multiple profiles are applied in the order they are specified")

cmd/flags/flags.go

@@ -459,7 +459,7 @@ func runPipeline(ctx devspacecontext.Context, args []string, options *CommandOpt
 	})
 
 	// start ui & open
-	serv, err := dev.UI(ctx, options.UIPort, options.ShowUI, pipe)
+	serv, err := dev.UI(ctx, options.UIPort, options.ShowUI, options.ProtectUI, pipe)
 	if err != nil {
 		return err
 	}

cmd/run_pipeline.go

@@ -121,9 +121,9 @@ func (cmd *UICmd) RunUI(f factory.Factory) error {
 					continue
 				}
 
-				if serverVersion.DevSpace {
+				if serverVersion.DevSpace && serverVersion.Protected == cmd.ProtectUI {
 					cmd.log.Infof("Found running UI server at %s", domain)
-					_ = open.Start(domain)
+					_ = open.Start(server.BrowserURL(fmt.Sprintf("%s:%d", cmd.Host, checkPort)))
 					return nil
 				}
 
@@ -190,17 +190,17 @@ func (cmd *UICmd) RunUI(f factory.Factory) error {
 	}
 
 	// Create server
-	server, err := server.NewServer(ctx, cmd.Host, cmd.Dev, forcePort, nil)
+	server, err := server.NewServer(ctx, cmd.Host, cmd.Dev, forcePort, nil, cmd.ProtectUI)
 	if err != nil {
 		return err
 	}
 
 	// Open the browser
 	if !cmd.Dev {
-		go func(domain string) {
+		go func(url string) {
 			time.Sleep(time.Second * 2)
-			_ = open.Start("http://" + domain)
-		}(server.Server.Addr)
+			_ = open.Start(url)
+		}(server.BrowserURL())
 	}
 
 	cmd.log.Infof("Start listening on http://%s", server.Server.Addr)

cmd/ui.go

@@ -9,15 +9,15 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
-func UI(ctx devspacecontext.Context, port int, showUI bool, pipeline types.Pipeline) (*server.Server, error) {
+func UI(ctx devspacecontext.Context, port int, showUI bool, protectUI bool, pipeline types.Pipeline) (*server.Server, error) {
 	var defaultPort *int
 	if port != 0 {
 		defaultPort = &port
 	}
 
 	// Create server
 	uiLogger := log.GetFileLogger("ui")
-	serv, err := server.NewServer(ctx.WithLogger(uiLogger), "localhost", false, defaultPort, pipeline)
+	serv, err := server.NewServer(ctx.WithLogger(uiLogger), "localhost", false, defaultPort, pipeline, protectUI)
 	if err != nil {
 		ctx.Log().Warnf("Couldn't start UI server: %v", err)
 	} else {
@@ -33,7 +33,7 @@ func UI(ctx devspacecontext.Context, port int, showUI bool, pipeline types.Pipel
 
 		if showUI {
 			ctx.Log().WriteString(logrus.InfoLevel, "\n#########################################################\n")
-			ctx.Log().Infof("DevSpace UI available at: %s", ansi.Color("http://"+serv.Server.Addr, "white+b"))
+			ctx.Log().Infof("DevSpace UI available at: %s", ansi.Color(serv.BrowserURL(), "white+b"))
 			ctx.Log().WriteString(logrus.InfoLevel, "#########################################################\n\n")
 		}
 	}

pkg/devspace/dev/dev.go

@@ -0,0 +1,200 @@
+package server
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/hex"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/loft-sh/devspace/pkg/devspace/config/constants"
+
+	"github.com/mitchellh/go-homedir"
+)
+
+const (
+	authCookieName  = "devspace-ui-session"
+	authHeaderName  = "X-DevSpace-UI-Token"
+	authQueryParam  = "devspace-ui-token"
+	authTokenFolder = "sessions"
+)
+
+func generateAuthToken() (string, error) {
+	token := make([]byte, 32)
+	_, err := rand.Read(token)
+	if err != nil {
+		return "", err
+	}
+
+	return hex.EncodeToString(token), nil
+}
+
+func authMiddleware(h *handler, next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !h.isAuthorized(r) {
+			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (h *handler) index(w http.ResponseWriter, r *http.Request) {
+	if !h.authorizeIndexRequest(w, r) {
+		return
+	}
+
+	http.ServeFile(w, r, filepath.Join(h.path, "index.html"))
+}
+
+func (h *handler) authorizeIndexRequest(w http.ResponseWriter, r *http.Request) bool {
+	if !h.protectUI {
+		return true
+	}
+
+	if token := r.URL.Query().Get(authQueryParam); token != "" {
+		if !tokensEqual(token, h.authToken) {
+			http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+			return false
+		}
+
+		h.setAuthCookie(w)
+
+		redirectURL := *r.URL
+		query := redirectURL.Query()
+		query.Del(authQueryParam)
+		redirectURL.RawQuery = query.Encode()
+		if redirectURL.Path == "" {
+			redirectURL.Path = "/"
+		}
+
+		http.Redirect(w, r, redirectURL.String(), http.StatusTemporaryRedirect)
+		return false
+	}
+
+	if h.isAuthorized(r) {
+		return true
+	}
+
+	http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+	return false
+}
+
+func (h *handler) setAuthCookie(w http.ResponseWriter) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     authCookieName,
+		Value:    h.authToken,
+		HttpOnly: true,
+		Path:     "/",
+		SameSite: http.SameSiteStrictMode,
+	})
+}
+
+func (h *handler) isAuthorized(r *http.Request) bool {
+	if cookie, err := r.Cookie(authCookieName); err == nil && tokensEqual(cookie.Value, h.authToken) {
+		return true
+	}
+
+	if token := r.Header.Get(authHeaderName); tokensEqual(token, h.authToken) {
+		return true
+	}
+
+	authorization := r.Header.Get("Authorization")
+	if strings.HasPrefix(strings.ToLower(authorization), "bearer ") && tokensEqual(strings.TrimSpace(authorization[7:]), h.authToken) {
+		return true
+	}
+
+	return tokensEqual(r.URL.Query().Get(authQueryParam), h.authToken)
+}
+
+func tokensEqual(left, right string) bool {
+	if left == "" || right == "" {
+		return false
+	}
+
+	return subtle.ConstantTimeCompare([]byte(left), []byte(right)) == 1
+}
+
+func (s *Server) BrowserURL() string {
+	return browserURL(s.Server.Addr, s.authToken)
+}
+
+func BrowserURL(addr string) string {
+	token, err := readAuthToken(addr)
+	if err != nil {
+		return browserURL(addr, "")
+	}
+
+	return browserURL(addr, token)
+}
+
+func browserURL(addr, token string) string {
+	u := &url.URL{
+		Scheme: "http",
+		Host:   addr,
+		Path:   "/",
+	}
+	if token != "" {
+		query := u.Query()
+		query.Set(authQueryParam, token)
+		u.RawQuery = query.Encode()
+	}
+
+	return u.String()
+}
+
+func persistAuthToken(addr, token string) error {
+	path, err := authTokenPath(addr)
+	if err != nil {
+		return err
+	}
+
+	err = os.MkdirAll(filepath.Dir(path), 0700)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(path, []byte(token), 0600)
+}
+
+func readAuthToken(addr string) (string, error) {
+	path, err := authTokenPath(addr)
+	if err != nil {
+		return "", err
+	}
+
+	token, err := os.ReadFile(path)
+	if err != nil {
+		return "", err
+	}
+
+	return strings.TrimSpace(string(token)), nil
+}
+
+func removeAuthToken(addr string) error {
+	path, err := authTokenPath(addr)
+	if err != nil {
+		return err
+	}
+
+	err = os.Remove(path)
+	if err != nil && !os.IsNotExist(err) {
+		return err
+	}
+
+	return nil
+}
+
+func authTokenPath(addr string) (string, error) {
+	home, err := homedir.Dir()
+	if err != nil {
+		return "", err
+	}
+
+	replacer := strings.NewReplacer(":", "_", "/", "_", "\\", "_")
+	return filepath.Join(home, constants.DefaultHomeDevSpaceFolder, UITempFolder, authTokenFolder, replacer.Replace(addr)+".token"), nil
+}