Describe the bug
I've noticed some anomalies in the token system for soft-serve, namely:
- It seems that KeyboardInteractiveHandler ignores the token challenge, so tokens are not checked. A user given a token to access soft serve gets the same access as someone with no token at all (for AllowKeyless=true). With AllowKeyless=false, a valid token is rejected identically to an invalid one.
- Token-authenticated sessions have no user identity, so collaborator-based access control is bypassed. Instead, I expected KeyboardInteractiveHandler to validate the token via UserByAccessToken and resolve the user identity in AuthenticationMiddleware.
If unintentional, token-based access control is "silently" broken. If this is intentional, Id appreciate clarification on the intended use case for access tokens.
To Reproduce
Steps to reproduce the behavior:
- Create a user and token: ssh -p 23231 localhost token create mytoken
- Set AllowKeyless=false: ssh -p 23231 localhost settings allow-keyless false
- Connect with the valid token via keyboard-interactive -> connection is rejected
- Set AllowKeyless=true: ssh -p 23231 localhost settings allow-keyless true
- Connect with any random string via keyboard-interactive -> connection is accepted
In both configurations, the token value has no effect on the outcome.
Additionally, since token-authenticated sessions have no user identity, AuthenticationMiddleware does not resolve the user, so collaborator-based repo filtering in repo list does not apply. This means that a private repo the user was added to as a collaborator isn't shown.
Expected behavior
KeyboardInteractiveHandler should validate the token via UserByAccessToken and accept/reject based on whether the token is valid. Valid tokens should be accepted regardless of AllowKeyless. The resolved user identity should be set in the session context so collaborator-based access control works for token-authenticated sessions.
Describe the bug
I've noticed some anomalies in the token system for soft-serve, namely:
If unintentional, token-based access control is "silently" broken. If this is intentional, Id appreciate clarification on the intended use case for access tokens.
To Reproduce
Steps to reproduce the behavior:
In both configurations, the token value has no effect on the outcome.
Additionally, since token-authenticated sessions have no user identity, AuthenticationMiddleware does not resolve the user, so collaborator-based repo filtering in repo list does not apply. This means that a private repo the user was added to as a collaborator isn't shown.
Expected behavior
KeyboardInteractiveHandler should validate the token via UserByAccessToken and accept/reject based on whether the token is valid. Valid tokens should be accepted regardless of AllowKeyless. The resolved user identity should be set in the session context so collaborator-based access control works for token-authenticated sessions.