add integration tests for auth

Author: aktech

pkg/api/logs_handler.go

@@ -8,6 +8,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/nebari-dev/jhub-app-proxy/pkg/auth"
 	"github.com/nebari-dev/jhub-app-proxy/pkg/logger"
 	"github.com/nebari-dev/jhub-app-proxy/pkg/process"
 	"github.com/nebari-dev/jhub-app-proxy/pkg/ui"
@@ -275,6 +276,9 @@ func (h *LogsHandler) RegisterRoutesWithPrefix(mux *http.ServeMux, prefix string
 // These routes are at /_temp/jhub-app-proxy/api/* (or with service prefix)
 // and are used by the interim log viewer page.
 //
+// SECURITY: These routes are NOT automatically protected by authentication.
+// The caller MUST wrap them with OAuth middleware if authentication is required.
+//
 // Grace Period Behavior:
 // These routes remain accessible for a grace period after the app deploys,
 // allowing the interim page to fetch final logs before redirecting.
@@ -301,3 +305,31 @@ func (h *LogsHandler) RegisterInterimRoutes(mux *http.ServeMux, basePath string)
 			"GET " + basePath + "/api/logo",
 		})
 }
+
+// RegisterInterimRoutesWithAuth registers all log API routes under the interim path with OAuth authentication
+// CRITICAL SECURITY: Use this method instead of RegisterInterimRoutes when OAuth is enabled!
+//
+// Parameters:
+//   - mux: The HTTP request multiplexer
+//   - basePath: The base interim path
+//   - oauthMW: OAuth middleware for authentication
+func (h *LogsHandler) RegisterInterimRoutesWithAuth(mux *http.ServeMux, basePath string, oauthMW *auth.OAuthMiddleware) {
+	// Wrap each handler with OAuth middleware
+	mux.Handle(basePath+"/api/logs", oauthMW.Wrap(http.HandlerFunc(h.HandleGetLogs)))
+	mux.Handle(basePath+"/api/logs/all", oauthMW.Wrap(http.HandlerFunc(h.HandleGetAllLogs)))
+	mux.Handle(basePath+"/api/logs/since", oauthMW.Wrap(http.HandlerFunc(h.HandleGetLogsSince)))
+	mux.Handle(basePath+"/api/logs/stats", oauthMW.Wrap(http.HandlerFunc(h.HandleGetStats)))
+	mux.Handle(basePath+"/api/logs/clear", oauthMW.Wrap(http.HandlerFunc(h.HandleClearLogs)))
+	mux.Handle(basePath+"/api/logo", oauthMW.Wrap(http.HandlerFunc(h.HandleGetLogo)))
+
+	h.logger.Info("interim log API routes registered WITH OAUTH PROTECTION",
+		"base_path", basePath,
+		"endpoints", []string{
+			"GET " + basePath + "/api/logs",
+			"GET " + basePath + "/api/logs/all",
+			"GET " + basePath + "/api/logs/since",
+			"GET " + basePath + "/api/logs/stats",
+			"DELETE " + basePath + "/api/logs/clear",
+			"GET " + basePath + "/api/logo",
+		})
+}

pkg/config/config.go

@@ -11,7 +11,8 @@ import (
 // Config holds application configuration
 type Config struct {
 	// Authentication
-	AuthType string // "oauth", "none"
+	AuthType        string // "oauth", "none"
+	InterimPageAuth bool   // If true, protect interim pages/logs API even when AuthType is "none"
 
 	// Process
 	Command     []string
@@ -71,6 +72,8 @@ Framework-agnostic - works with any web application (Streamlit, Voila, Panel, et
 	// Core flags
 	rootCmd.Flags().StringVar(&cfg.AuthType, "authtype", "oauth",
 		"Authentication type (oauth, none)")
+	rootCmd.Flags().BoolVar(&cfg.InterimPageAuth, "interim-page-auth", false,
+		"Protect interim pages and logs API with OAuth even when --authtype=none (allows public app with protected logs)")
 	rootCmd.Flags().IntVar(&cfg.Port, "port", 0,
 		"Port for proxy server to listen on (what JupyterHub expects)")
 	rootCmd.Flags().IntVar(&cfg.ListenPort, "listen-port", 0,

pkg/server/server.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/nebari-dev/jhub-app-proxy/pkg/api"
+	"github.com/nebari-dev/jhub-app-proxy/pkg/auth"
 	"github.com/nebari-dev/jhub-app-proxy/pkg/config"
 	"github.com/nebari-dev/jhub-app-proxy/pkg/hub"
 	"github.com/nebari-dev/jhub-app-proxy/pkg/interim"
@@ -58,17 +59,55 @@ func New(cfg Config) (*Server, error) {
 	mux := http.NewServeMux()
 	api.Version = cfg.Version
 
-	// Create and register logs API handler
+	// Create OAuth middleware if authentication is enabled for main app OR interim pages
+	var oauthMW *auth.OAuthMiddleware
+	needsOAuth := cfg.AppConfig.AuthType == "oauth" || cfg.AppConfig.InterimPageAuth
+
+	if needsOAuth {
+		var err error
+		oauthMW, err = auth.NewOAuthMiddleware(log)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create OAuth middleware: %w", err)
+		}
+
+		if cfg.AppConfig.AuthType == "oauth" {
+			log.Info("OAuth authentication enabled for ALL routes (app + interim pages)")
+		} else if cfg.AppConfig.InterimPageAuth {
+			log.Info("OAuth authentication enabled for INTERIM PAGES ONLY (app is public)")
+		}
+	}
+
+	// CRITICAL SECURITY: Determine if interim pages need authentication
+	// If --authtype=oauth: protect everything (app + interim pages)
+	// If --interim-page-auth: protect only interim pages (app is public)
+	// Otherwise: protect nothing
+	protectInterim := cfg.AppConfig.AuthType == "oauth" || cfg.AppConfig.InterimPageAuth
+
+	// CRITICAL SECURITY: Register logs API handler with or without authentication
 	logsHandler := api.NewLogsHandler(cfg.Manager, log)
-	logsHandler.RegisterInterimRoutes(mux, interimBasePath)
+	if protectInterim && oauthMW != nil {
+		logsHandler.RegisterInterimRoutesWithAuth(mux, interimBasePath, oauthMW)
+	} else {
+		logsHandler.RegisterInterimRoutes(mux, interimBasePath)
+		log.Warn("logs API NOT protected - sensitive logs exposed!", "path", interimBasePath+"/api/*")
+	}
 
 	// Create interim page handler
 	interimHandler := interim.NewHandler(interim.Config{
 		Manager:    cfg.Manager,
 		Logger:     log,
 		AppURLPath: appRootPath,
 	})
-	mux.Handle(interimBasePath, interimHandler)
+
+	// CRITICAL SECURITY: Wrap interim handler with OAuth authentication if needed
+	// Interim pages can expose sensitive subprocess logs!
+	if protectInterim && oauthMW != nil {
+		mux.Handle(interimBasePath, oauthMW.Wrap(interimHandler))
+		log.Info("interim page protected with OAuth authentication", "path", interimBasePath)
+	} else {
+		mux.Handle(interimBasePath, interimHandler)
+		log.Warn("interim page NOT protected - sensitive logs exposed!", "path", interimBasePath)
+	}
 
 	// Create backend proxy handler
 	proxyHandler, err := proxy.NewHandler(

test/integration/security_interim_only_test.go

@@ -0,0 +1,137 @@
+// security_interim_only_test.go - Tests --interim-page-auth flag
+//
+// Verifies the --interim-page-auth flag behavior:
+// - Main application: accessible without authentication (200 OK)
+// - Interim pages & logs API: requires authentication (302 redirect)
+
+package integration
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"os"
+	"os/exec"
+	"testing"
+	"time"
+)
+
+// TestInterimPageAuthFlag tests the --interim-page-auth flag
+// This flag allows protecting interim pages and logs API while keeping the main app public
+func TestInterimPageAuthFlag(t *testing.T) {
+	// Get free ports for proxy and subprocess
+	proxyPort := getFreePort(t)
+	destPort := getFreePort(t)
+
+	// Build the binary first
+	binaryPath := buildBinary(t)
+
+	// Start jhub-app-proxy with --authtype=none but --interim-page-auth=true
+	ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
+	defer cancel()
+
+	cmd := exec.CommandContext(ctx, binaryPath,
+		"--port", fmt.Sprintf("%d", proxyPort),
+		"--destport", fmt.Sprintf("%d", destPort),
+		"--authtype", "none", // Main app is PUBLIC
+		"--interim-page-auth", // But interim pages are PROTECTED
+		"--log-format", "pretty",
+		"--log-level", "info",
+		"--",
+		"python3", "-m", "http.server", "{port}",
+	)
+
+	// Set minimal JupyterHub environment variables (required for OAuth)
+	cmd.Env = append(os.Environ(),
+		"JUPYTERHUB_API_TOKEN=test-token-12345",
+		"JUPYTERHUB_API_URL=http://localhost:8081/hub/api",
+		"JUPYTERHUB_USER=testuser",
+		"JUPYTERHUB_SERVICE_PREFIX=/user/testuser/",
+	)
+
+	cmd.Stdout = os.Stdout
+	cmd.Stderr = os.Stderr
+
+	if err := cmd.Start(); err != nil {
+		t.Fatalf("Failed to start jhub-app-proxy: %v", err)
+	}
+	defer func() {
+		if cmd.Process != nil {
+			cmd.Process.Kill()
+		}
+	}()
+
+	proxyURL := fmt.Sprintf("http://127.0.0.1:%d", proxyPort)
+	servicePrefix := "/user/testuser"
+	interimPath := servicePrefix + "/_temp/jhub-app-proxy"
+
+	// Wait for proxy to be ready (use main app since interim is protected)
+	if err := waitForHTTP(proxyURL+servicePrefix+"/", 5*time.Second); err != nil {
+		t.Fatalf("Proxy did not become ready: %v", err)
+	}
+
+	// Give the subprocess time to fully start (we can't use stats API since it's protected)
+	time.Sleep(3 * time.Second)
+
+	// Test 1: Main app should be PUBLIC (no auth required)
+	t.Run("MainAppIsPublic", func(t *testing.T) {
+		resp, err := http.Get(proxyURL + servicePrefix + "/")
+		if err != nil {
+			t.Fatalf("Failed to request main app: %v", err)
+		}
+		defer resp.Body.Close()
+
+		// Should return 200 OK - app is public!
+		if resp.StatusCode != 200 {
+			t.Errorf("Expected 200 for public app, got %d", resp.StatusCode)
+		}
+	})
+
+	// Test 2: Interim page should be PROTECTED (auth required)
+	t.Run("InterimPageIsProtected", func(t *testing.T) {
+		client := &http.Client{
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				return http.ErrUseLastResponse
+			},
+		}
+		resp, err := client.Get(proxyURL + interimPath)
+		if err != nil {
+			t.Fatalf("Failed to request interim page: %v", err)
+		}
+		defer resp.Body.Close()
+
+		// Should NOT return 200 - interim page is protected!
+		if resp.StatusCode == 200 {
+			t.Errorf("SECURITY ISSUE: Interim page should be protected but got 200")
+		}
+
+		// Should redirect to OAuth
+		if resp.StatusCode != 302 {
+			t.Errorf("Expected 302 redirect for protected interim page, got %d", resp.StatusCode)
+		}
+	})
+
+	// Test 3: Logs API should be PROTECTED (auth required)
+	t.Run("LogsAPIIsProtected", func(t *testing.T) {
+		client := &http.Client{
+			CheckRedirect: func(req *http.Request, via []*http.Request) error {
+				return http.ErrUseLastResponse
+			},
+		}
+		resp, err := client.Get(proxyURL + interimPath + "/api/logs/all")
+		if err != nil {
+			t.Fatalf("Failed to request logs API: %v", err)
+		}
+		defer resp.Body.Close()
+
+		// Should NOT return 200 - logs API is protected!
+		if resp.StatusCode == 200 {
+			t.Errorf("SECURITY ISSUE: Logs API should be protected but got 200")
+		}
+
+		// Should redirect to OAuth
+		if resp.StatusCode != 302 {
+			t.Errorf("Expected 302 redirect for protected logs API, got %d", resp.StatusCode)
+		}
+	})
+}