🐛 Fixes auth product error in vendor services 🚨

[pcrespov]

What do these changes do?

The Forward auth Traefik middleware, introduced in this pull request, uses the webserver's GET v0/auth:check endpoint to authenticate vendor services, whether deployed dynamically (e.g., a Jupyter service started in a study) or statically (e.g., the S4L manual).

The GET v0/auth:check endpoint relies on the products middleware to determine which product is being requested. It then checks if the user is authenticated and authorized for that product. Since the Forward auth middleware handles the request, we needed to use the X-Forward-Host header to identify the originating hostname instead of relying solely on the hostname itself.

We also tried sending the X-Simcore-Product header from the front-end when loading the site in an iframe, but we ran into CORS issues. For now, we've abandoned this approach.

Key Highlights

• 🐛 product middleware
  • Now detects the product from the X-Forwarded-Host header when used in the middleware.
• ♻️ session plugin
  • Separated the session._cookie_storage module and added some robustness improvements.
• ♻️ security plugin
  • Introduced a constant for the product.login permission key.

IMPORTANT: This approach requires further testing, but we've committed it to unblock first the master-e2e deployments. Following PRs will address this #6522

Related issue/s

• Fixes Authentication failing when only s4l product is present #6506
• Follows up from feature introduced in 🎨 Adds authentication for new style dynamic services and platform vendor services ⚠️ #6484

How to test

cd services/web/server
make install-dev
pytest -v tests/unit/isolated/test_products_middlewares.py

Manually

make up-prod
make show-endpoints

• open main site (1) -> shows login page
• open Vendor Manual (Fake) (2) -> no access
• login in (1)
• open (2) -> access. shows request info (it a https://github.com/traefik/whoami service )
• logout in (1)
• open (2) -> no access

Dev-ops checklist

None

[codecov]

Codecov Report

Attention: Patch coverage is 89.65517% with 6 lines in your changes missing coverage. Please review.

Project coverage is 88.1%. Comparing base (cafbf96) to head (ab71c65).
Report is 627 commits behind head on master.

Files with missing lines	Patch %	Lines
...mcore_service_webserver/session/_cookie_storage.py	80.6%	6 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff            @@
##           master   #6512      +/-   ##
=========================================
+ Coverage    84.5%   88.1%    +3.5%     
=========================================
  Files          10    1548    +1538     
  Lines         214   63346   +63132     
  Branches       25    2059    +2034     
=========================================
+ Hits          181   55822   +55641     
- Misses         23    7207    +7184     
- Partials       10     317     +307     

Flag	Coverage Δ
integrationtests	64.7% <81.0%> (?)
unittests	86.1% <89.6%> (+1.5%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
.../simcore_service_webserver/application_settings.py	99.4% <ø> (ø)
.../src/simcore_service_webserver/login/decorators.py	100.0% <100.0%> (ø)
...ver/src/simcore_service_webserver/products/_api.py	73.8% <ø> (ø)
...simcore_service_webserver/products/_middlewares.py	100.0% <100.0%> (ø)
...imcore_service_webserver/security/_authz_policy.py	95.2% <100.0%> (ø)
...c/simcore_service_webserver/security/_constants.py	100.0% <100.0%> (ø)
...rver/src/simcore_service_webserver/security/api.py	100.0% <100.0%> (ø)
...er/src/simcore_service_webserver/session/errors.py	100.0% <100.0%> (ø)
...er/src/simcore_service_webserver/session/plugin.py	100.0% <100.0%> (ø)
...src/simcore_service_webserver/statics/_handlers.py	50.0% <ø> (ø)
... and 1 more

... and 1487 files with indirect coverage changes

[matusdrobuliak66]

Thanks!

[GitHK]

There are 2 things that will not work here.
Let's discuss about it.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[mrnicegyu11]

very nice PR I didnt catch anything it looks very reaosnable! thanks

[GitHK]

Very good thanks for the changes.

[sanderegg]

pair reviewed. thanks!