Customizable authentication

[sdissegna-maystreet]

This is something I've been working on and I will soon submit an implementation of.

The idea is to allow users of code-server to plug in their own custom authentication method without relying on proxies and without forking the repository.

To this end, my proposal is to add a new authentication type, called custom, to the --auth configuration option. When custom is specified, the user will then need to pass in a --custom-auth-module configuration option, which should point to a module on disk that can be loaded with require, and which export a customAuth property that implements the following interface:

import type { Request, Response, Router } from "express"

/**
 * Modules assigned to the custom-auth-module configuration option
 * must export a "customAuth" property implementing this interface.
 */
export interface CodeServerCustomAuth {
  /**
   * A GET request to the "/" path of the loginRouter is made when the user needs to login.
   */
  readonly loginRouter: Router

  /**
   * A GET request to the "/" path of the logoutRouter is made when the user needs to logout.
   */
  readonly logoutRouter: Router

  /**
   * Runs once when code-server starts. It will block startup until the returned
   * promise resolves.
   */
  initialize(): Promise<void>

  /**
   * Tells if the user is authenticated and authorized.
   *
   * @param req the request that needs to be authorized.
   * @param res the current response.
   * @returns true if the user is authorized, false otherwise.
   */
  authenticated(req: Request, res: Response): Promise<boolean>
}

[jsjoeio]

To be clear, this is a great idea and something others in the community would surely benefit from. The biggest question is how should this be implemented. @code-asher has the most experience when it comes to adding these types of features to the codebase. We had a similar-ish proposal not long ago and want to ensure we do what we can to help you with this.

Let's see what he thinks.

[code-asher]

My thinking is that since code-server already has a plugin system we could expand it a little to allow plugins that add custom authentication.

This way we only have one system for plugins/modules rather than two separate ones (one for auth and one for everything else).

But the problem is that the plugin API is not documented and I do not think it is ready for release anyway. Plus since we are moving to a fork to align ourselves closer to VS Code we might want to remove the bespoke plugin system and tie into VS Code's plugin API instead.

So to move this forward we need to:

1. Decide whether to keep the separate plugin system for Express/HTTP stuff or whether we want to patch VS Code's API to support cases like authentication/etc instead
2. Decide how the actual API should look
3. Implement the API
4. Lastly, we can rebase the authentication module on this work

The API is not something we will be able to easily change so we want to be careful with it and make sure everyone is on board with what it looks like before we move to implementation.

[code-asher]

Opened a discussion here: #4072

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no activity occurs in the next 5 days.