Resolve "Replace JWT authentication with Session Authentication"

Author: briancaffey

.gitlab-ci.yml

@@ -11,6 +11,7 @@ stages:
 include:
   - local: /gitlab-ci/documentation.yml
   - local: /gitlab-ci/renovate.yml
+  - local: /gitlab-ci/aws/cdk.yml
   - local: /gitlab-ci/aws/dev.yml
   - local: /gitlab-ci/aws/app.yml
 

awscdk/app.py

@@ -3,7 +3,7 @@
 
 from aws_cdk import core
 
-from awscdk.cdk_app_root import ApplicationStack
+from awscdk.app_stack import ApplicationStack
 
 # naming conventions, also used for ACM certs, DNS Records, resource naming
 # Dynamically generated resource names created in CDK are used in GitLab CI

awscdk/awscdk/cdk_app_root.py awscdk/awscdk/app_stack.pyawscdk/awscdk/cdk_app_root.py renamed to awscdk/awscdk/app_stack.py

@@ -15,6 +15,7 @@
 from static_site_bucket import StaticSiteStack
 from flower import FlowerServiceStack
 from celery_autoscaling import CeleryAutoscalingStack
+from bastion_host import BastionHost
 
 from backend import BackendServiceStack
 from backend_tasks import BackendTasksStack
@@ -80,7 +81,9 @@ def __init__(
 
         # image used for all django containers: gunicorn, daphne, celery, beat
         self.image = ecs.AssetImage(
-            "./backend", file="scripts/prod/Dockerfile", target="production",
+            "./backend",
+            file="scripts/prod/Dockerfile",
+            target="production",
         )
 
         self.variables = Variables(
@@ -110,3 +113,6 @@ def __init__(
 
         # migrate, collectstatic, createsuperuser
         self.backend_tasks = BackendTasksStack(self, "BackendTasksStack")
+
+        # bastion host
+        self.bastion_host = BastionHost(self, "BastionHost")

awscdk/awscdk/backend_tasks.py

@@ -1,6 +1,11 @@
 import os
 
-from aws_cdk import core, aws_ecs as ecs, aws_cloudformation as cloudformation
+from aws_cdk import (
+    core,
+    aws_ecs as ecs,
+    aws_cloudformation as cloudformation,
+    aws_logs as logs,
+)
 
 # These tasks are executed from manual GitLab CI jobs. The cluster is
 # specified with:
@@ -9,9 +14,16 @@
 
 
 class BackendTasksStack(cloudformation.NestedStack):
-    def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
+    def __init__(
+        self,
+        scope: core.Construct,
+        id: str,
+        **kwargs,
+    ) -> None:
         super().__init__(
-            scope, id, **kwargs,
+            scope,
+            id,
+            **kwargs,
         )
 
         # migrate
@@ -28,7 +40,10 @@ def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
             environment=scope.variables.regular_variables,
             secrets=scope.variables.secret_variables,
             command=["python3", "manage.py", "migrate", "--no-input"],
-            logging=ecs.LogDrivers.aws_logs(stream_prefix="MigrateCommand"),
+            logging=ecs.LogDrivers.aws_logs(
+                stream_prefix="MigrateCommand",
+                log_retention=logs.RetentionDays.ONE_DAY,
+            ),
         )
 
         # collectstatic
@@ -79,6 +94,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
             ),
             command=["python3", "manage.py", "create_default_user"],
             logging=ecs.LogDrivers.aws_logs(
-                stream_prefix="CreateSuperuserCommand"
+                stream_prefix="CreateSuperuserCommand",
+                log_retention=logs.RetentionDays.ONE_DAY,
             ),
         )

awscdk/awscdk/bastion_host.py

@@ -0,0 +1,73 @@
+import os
+
+from aws_cdk import (
+    aws_autoscaling as autoscaling,
+    aws_cloudformation as cloudformation,
+    aws_ec2 as ec2,
+    aws_ecs as ecs,
+    core,
+)
+
+
+class BastionHost(cloudformation.NestedStack):
+    def __init__(
+        self,
+        scope: core.Construct,
+        id: str,
+        **kwargs,
+    ) -> None:
+        super().__init__(
+            scope,
+            id,
+            **kwargs,
+        )
+
+        # add ingress rule on port 22 for SSH
+        ec2.SecurityGroup.from_security_group_id(
+            self,
+            "DefaultSecurityGroupForIngress",
+            scope.vpc.vpc_default_security_group,
+        ).add_ingress_rule(
+            ec2.Peer.any_ipv4(),
+            ec2.Port.tcp(22),
+        )
+
+        self.asg = autoscaling.AutoScalingGroup(
+            self,
+            "AutoScalingGroup",
+            instance_type=ec2.InstanceType("t2.micro"),
+            machine_image=ecs.EcsOptimizedAmi(),
+            security_group=ec2.SecurityGroup.from_security_group_id(
+                self,
+                "DefaultSecurityGroupId",
+                scope.vpc.vpc_default_security_group,
+            ),
+            associate_public_ip_address=True,
+            update_type=autoscaling.UpdateType.REPLACING_UPDATE,
+            desired_capacity=1,
+            vpc=scope.vpc,
+            key_name=os.environ.get("KEY_NAME"),
+            vpc_subnets={'subnet_type': ec2.SubnetType.PUBLIC},
+        )
+
+        self.cluster = scope.cluster
+
+        self.cluster.add_auto_scaling_group(self.asg)
+
+        self.bastion_host_task = ecs.Ec2TaskDefinition(self, "BastionHostTask")
+
+        self.bastion_host_task.add_container(
+            "BastionHostContainer",
+            image=scope.image,
+            command=["/start_prod.sh"],
+            environment=scope.variables.regular_variables,
+            memory_reservation_mib=128
+            # secrets=scope.variables.secret_variables,
+        )
+
+        self.bastion_host_service = ecs.Ec2Service(
+            self,
+            "BastionHostService",
+            task_definition=self.bastion_host_task,
+            cluster=self.cluster,
+        )

awscdk/awscdk/cloudfront.py

@@ -16,7 +16,12 @@
 
 
 class CloudFrontStack(cloudformation.NestedStack):
-    def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
+    def __init__(
+        self,
+        scope: core.Construct,
+        id: str,
+        **kwargs,
+    ) -> None:
         super().__init__(scope, id, **kwargs)
 
         s3_domain_prefix = scope.static_site_bucket.bucket_name
@@ -54,7 +59,8 @@ def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
                     ),
                     behaviors=[
                         cloudfront.Behavior(
-                            is_default_behavior=True, cached_methods=GET_HEAD,
+                            is_default_behavior=True,
+                            cached_methods=GET_HEAD,
                         )
                     ],
                 ),

awscdk/awscdk/flower.py

@@ -11,9 +11,16 @@
 
 
 class FlowerServiceStack(cloudformation.NestedStack):
-    def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
+    def __init__(
+        self,
+        scope: core.Construct,
+        id: str,
+        **kwargs,
+    ) -> None:
         super().__init__(
-            scope, id, **kwargs,
+            scope,
+            id,
+            **kwargs,
         )
 
         self.flower_task = ecs.FargateTaskDefinition(self, "FlowerTask")
@@ -26,7 +33,7 @@ def __init__(self, scope: core.Construct, id: str, **kwargs,) -> None:
 
         self.flower_task.add_container(
             "FlowerContainer",
-            image=ecs.ContainerImage.from_registry("mher/flower"),
+            image=ecs.ContainerImage.from_registry("mher/flower:0.9"),
             logging=ecs.LogDrivers.aws_logs(
                 stream_prefix="FlowerContainer",
                 log_retention=logs.RetentionDays.ONE_DAY,

backend/apps/accounts/migrations/0002_auto_20201117_0735.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.1.2 on 2020-11-17 07:35
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='customuser',
+            name='first_name',
+            field=models.CharField(blank=True, max_length=150, verbose_name='first name'),
+        ),
+    ]

backend/apps/accounts/urls.py

@@ -1,31 +1,23 @@
 from django.urls import include, path, re_path
-from rest_framework_simplejwt.views import (
-    TokenObtainPairView,
-    TokenRefreshView,
-    TokenVerifyView,
-)
 
 from . import views
 
+
 urlpatterns = [
-    re_path(
-        r"^auth/obtain_token/",
-        TokenObtainPairView.as_view(),
-        name="api-jwt-auth",
-    ),
-    re_path(
-        r"^auth/refresh_token/",
-        TokenRefreshView.as_view(),
-        name="api-jwt-refresh",
+    path('login-set-cookie/', views.login_set_cookie, name="login-view"),
+    path('login/', views.login_view, name="login-view"),
+    path('logout/', views.logout_view, name="logout-view"),
+    path(
+        "users/profile/",
+        views.Profile.as_view(),
+        name="user-profile",
     ),
-    re_path(
-        r"^auth/verify_token/",
-        TokenVerifyView.as_view(),
-        name="api-jwt-verify",
-    ),
-    path("users/profile/", views.Profile.as_view(), name="user-profile",),
     # Social Auth Callbacks
-    path("social/<backend>/", views.exchange_token, name="social-auth",),
+    path(
+        "social/<backend>/",
+        views.exchange_token,
+        name="social-auth",
+    ),
 ]
 
 urlpatterns += [

backend/apps/accounts/views.py

@@ -1,5 +1,10 @@
+import json
+
 from django.conf import settings
-from django.contrib.auth import get_user_model
+from django.contrib.auth import authenticate, get_user_model, login, logout
+from django.http import JsonResponse
+from django.views.decorators.csrf import ensure_csrf_cookie
+from django.views.decorators.http import require_POST
 from requests.exceptions import HTTPError
 from rest_framework import permissions, serializers, status
 from rest_framework.decorators import api_view, permission_classes
@@ -15,6 +20,43 @@
 User = get_user_model()
 
 
+@require_POST
+def logout_view(request):
+    logout(request)
+    return JsonResponse({"detail": "Logout Successful"})
+
+
+@ensure_csrf_cookie
+def login_set_cookie(request):
+    """
+    `login_view` requires that a csrf cookie be set.
+    `getCsrfToken` in `auth.js` uses this cookie to
+    make a request to `login_view`
+    """
+    return JsonResponse({"details": "CSRF cookie set"})
+
+
+@require_POST
+def login_view(request):
+    """
+    This function logs in the user and returns
+    and HttpOnly cookie, the `sessionid` cookie
+    """
+    data = json.loads(request.body)
+    email = data.get('email')
+    password = data.get('password')
+    if email is None or password is None:
+        return JsonResponse(
+            {"errors": {"__all__": "Please enter both username and password"}},
+            status=400,
+        )
+    user = authenticate(email=email, password=password)
+    if user is not None:
+        login(request, user)
+        return JsonResponse({"detail": "Success"})
+    return JsonResponse({"detail": "Invalid credentials"}, status=400)
+
+
 def get_tokens_for_user(user):
     refresh = RefreshToken.for_user(user)
 
@@ -29,7 +71,10 @@ class SocialSerializer(serializers.Serializer):
     Serializer which accepts an OAuth2 code.
     """
 
-    code = serializers.CharField(allow_blank=False, trim_whitespace=True,)
+    code = serializers.CharField(
+        allow_blank=False,
+        trim_whitespace=True,
+    )
 
 
 @api_view(http_method_names=["POST"])