Help with setting up authentication

enra64 · August 22, 2020, 1:28pm

Hi, I’m trying to secure access to my bokeh server. To this end, I found two options in the documentation: use signed session IDs, or provide a get_user function in an auth module. I tried both approaches, and can get neither to work:

With signed session IDs, it’s no problem to set up bokeh to only accept those, but when using server_document, there is no way to provide session IDs. Is there something I am missing in terms of how I should use bokeh here?

I also want to implement an auth hook, but the documentation says my get_user function should return None in case the user is not authenticated – when I do that, the following exception occurs:

2020-08-22 15:24:09,948 Starting Bokeh server with process id: 139215
<Response [406]>
no user found!
2020-08-22 15:24:21,810 Uncaught exception GET /sensordata/autoload.js?bokeh-autoload-element=1002&bokeh-app-path=/sensordata&bokeh-absolute-url=http://127.0.0.1:5006/sensordata&userId=1&studyId=1&token=token (127.0.0.1)

HTTPServerRequest(protocol=‘http’, host=‘127.0.0.1:5006’, method=‘GET’, uri=‘/sensordata/autoload.js?bokeh-autoload-element=1002&bokeh-app-path=/sensordata&bokeh-absolute-url=http://127.0.0.1:5006/sensordata&userId=1&studyId=1&token=token’, version=‘HTTP/1.1’, remote_ip=‘127.0.0.1’)

Traceback (most recent call last):
File “/home/…/venv/lib/python3.8/site-packages/tornado/web.py”, line 1703, in _execute
result = await result
File “/home/…/venv/lib/python3.8/site-packages/bokeh/server/views/autoload_js_handler.py”, line 60, in get
session = await self.get_session()
TypeError: object NoneType can’t be used in ‘await’ expression

It seems to me like the documentation is wrong here, and something other than None should be returned, but I’m not sure what, since I guess anything else would just create a new “default user”.

For reference: this is the code I’m trying to use as an auth provider:

import os

import requests
from dotenv import load_dotenv
from tornado.web import RequestHandler

from bokeh_server.sensordata.backend import Backend


def get_user(request_handler: RequestHandler):
    user_id = request_handler.get_query_argument("userId")
    token = request_handler.get_query_argument("token")

    response = requests.get(
        url=Backend.backend_url("users/{uid}".format(uid=user_id)),
        headers=Backend.backend_headers(token=token),
    )

    print(str(response))
    if response.status_code == 200:
        return user_id

    print("no user found!")

    return None


def get_login_url(_: RequestHandler):
    return "mylogin.de/login"

Bryan · August 22, 2020, 3:11pm

You want server_session, which accepts a session_id parameter, not server_document.

As for the auth handler, the function should definitely return None, as can be seen in the example in the repo. Does that example work for you? If not, perhaps there is some unknown package incompatibility (please provide relevant package info). If the example does work, then there is something specific about your actual full code that is causing (or exposing) a problem, but it will be difficult to diagnose without a minimal reproducer.

enra64 · August 23, 2020, 8:08am

Hey Bryan, thanks for your prompt response, I’m sorry I only saw it today.

Regarding the second issue, it seems that my script to start bokeh standalone to be able to debug it wasn’t complete, since now with using bokeh serve it works. Thanks!

For the first issue I tried to replace server_document with server_session, but then I get CORS errors because the OPTIONS method is not allowed, killing the preflight checks done to verify CORS. I’ve now worked around it by setting a “bokeh-session-id” header manually and using server_document as before. Of course I did set --allow-websocket-origin=*:

script = server_document(
        url=bokeh_url(),
        arguments={k: v for (k, v) in arguments.items()},
        headers={"bokeh-session-id": generate_session_id()},
    )

Bryan · August 24, 2020, 12:13am

I’m not really sure I follow, is there some change needed on the Bokeh side?

enra64 · September 7, 2020, 5:15pm

TLDR: I think I kinda fixed my problems. Except maybe for the OPTIONS request thing, where I’m not sure if bokeh should/does support those.

Sorry for my long absence - the question would be does Bokeh reply to OPTIONS requests? As far as I know, under certain preconditions browsers will send an OPTIONS request to determine if CORS is allowed. It seems sometimes my browser does this, but maybe they only show up if they fail due to misconfiguration on my part? Bokeh definitely sometimes works. I’m sorry I can’t provide a better example, this is mostly because I’m also deploying in a complicated environment and don’t really know it’s exact specifications.

I solved my first problem by just hardcoding the bokeh server session id into server_document, since I didn’t know how to set up a session to retrieve with server_session

script = server_document(
    url=bokeh_url(),
    # only consider arguments that are not None
    arguments={k: v for (k, v) in arguments.items() if v is not None},
    headers={"bokeh-session-id": generate_session_id()},
)

I’m not sure anymore how I solved the second problem, but it seems returning None in get_user doesn’t crash anything and probably it was something with packages, as the examples did work.

Bryan · September 8, 2020, 8:38pm

@enra64 Currently the Bokeh server does not repond to OPTIONS requests. I had once made an issue to propose add support for a pre-flight OPTIONS request:

github.com/bokeh/bokeh

Add a preflight session check to Bokeh server?

opened 04:39PM - 01 May 19 UTC

closed 02:53AM - 07 Feb 20 UTC

bryevdv

type: discussion reso: noaction

Should we support a new endpoint on the Bokeh server that simply returns whether… a potential connection would be immediately blocked or not? I had the idea looking at https://docs.microsoft.com/en-us/rest/api/storageservices/preflight-blob-request The idea is that e.g. a Flask app embedding a Bokeh app could first issue a preflight, and if it comes back negative (e.g. because allowed websocket hosts are wrong, or because a signed session id is invalid) then the flask app could handle gracefully degrading however it wanted. To be clear, in either of those cases above, I think the problem would be with the configuration on the Flask side. But all software has bugs and this would allow people embedding Bokeh apps to be more defensive and also fail more gracefully in case there is a problem. This seems both somewhat useful, as well as simple to implement. I think I'd just add support for a `OPTIONS` request at a normal bokeh server URL, and then return some data about whether a session for that URL would be proceeded with. cc @bokeh/dev @havocp I would love any thoughts if you have time to chime in.

But there was never any interest or feedback so I closed it with no action. However, if there’s something tangible do discuss, we can certainly re-open.