Backport logout fix to 3.10.x (#7175)

* Prevent users being logged out incorrectly (#7171)

Updates API and Webapp to:

- Only consider 401s from CouchDB to be valid missing authentication
- Throw other _session errors without changes
- Malformed _session responses result in a 500
- Don't send 401s for missing userCtx, instead send the actual authentication error or a 500.
- Add a custom header to 401 responses that Webapp checks for, and only when matched it would log users out. (prevents man-in-the-middle from logging users out with 401s)

#7169

(cherry picked from commit 2486dc5)

* Adds GitHub actions workflow to take over CI.

Author: dianabarsan

.github/workflows/build.yml

@@ -0,0 +1,161 @@
+name: Build cht-core and test against node versions
+
+on: [push, pull_request]
+
+env:
+  COUCH_URL: http://admin:pass@localhost:5984/medic-test
+  COUCH_NODE_NAME: nonode@nohost
+  BUILDS_SERVER: _couch/builds_testing
+  STAGING_SERVER: _couch/builds
+  UPLOAD_URL: ${{ secrets.MARKET_URL }}
+
+jobs:
+  build:
+    name: Compile the app
+    runs-on: ubuntu-18.04
+
+    steps:
+    - name: Get Docker Hub username
+      id: get-docker-hub-username
+      run: echo '::set-output name=dockerhub_username::${{ secrets.DOCKERHUB_USERNAME }}'
+    - name: Login to Docker Hub
+      uses: docker/login-action@v1
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+      if: steps.get-docker-hub-username.outputs.dockerhub_username
+    - name: Set UPLOAD_URL var
+      run: |
+        if [[ -z "$UPLOAD_URL" ]]; then
+          echo "UPLOAD_URL=https://staging.dev.medicmobile.org" >> $GITHUB_ENV
+          echo "BUILDS_SERVER=_couch/builds_external" >> $GITHUB_ENV
+          echo "STAGING_SERVER=_couch/builds_external" >> $GITHUB_ENV
+        fi
+    - name: Get branch name
+      uses: nelonoel/branch-name@1ea5c86cb559a8c4e623da7f188496208232e49f
+    - name: Set Travis Vars
+      run: |
+        echo "TRAVIS_BUILD_NUMBER=$GITHUB_RUN_ID" >> $GITHUB_ENV
+        echo "TRAVIS_BRANCH=$BRANCH_NAME" >> $GITHUB_ENV
+    - uses: actions/checkout@v2
+    - name: Use Node.js 12.x
+      uses: actions/setup-node@v1
+      with:
+        node-version: 12.x
+    - name: Couch Start
+      run: ./scripts/travis/couch-start
+    - name: Create logs directory
+      run: mkdir tests/logs
+    - name: npm CI
+      run: npm ci
+    - name: Grunt Install
+      run: npm install -g grunt-cli
+    - name: Configure Couch
+      run: ./scripts/travis/couch-config
+    - name: Grunt CI-Compile
+      run: |
+        node --stack_size=10000 `which grunt` ci-compile
+    - name: Publish for testing
+      run: |
+        node --stack_size=10000 `which grunt` publish-for-testing
+
+  test-e2e:
+    needs: build
+    name: e2e Tests for Node version ${{ matrix.node-version }}
+    runs-on: ubuntu-18.04
+
+    strategy:
+      matrix:
+        node-version: [8.x, 10.x, 12.x]
+
+    steps:
+    - name: Get Docker Hub username
+      id: get-docker-hub-username
+      run: echo '::set-output name=dockerhub_username::${{ secrets.DOCKERHUB_USERNAME }}'
+    - name: Login to Docker Hub
+      uses: docker/login-action@v1
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+      if: steps.get-docker-hub-username.outputs.dockerhub_username
+    - name: Set Travis Vars
+      run: |
+        echo "TRAVIS_BUILD_NUMBER=$GITHUB_RUN_ID" >> $GITHUB_ENV
+        echo "TEST_SUITE=integration" >> $GITHUB_ENV
+    - name: Set UPLOARD_URL var
+      run: |
+        if [[ -z "$UPLOAD_URL" ]]; then
+          echo "UPLOAD_URL=https://staging.dev.medicmobile.org" >> $GITHUB_ENV
+          echo "BUILDS_SERVER=_couch/builds_external" >> $GITHUB_ENV
+          echo "STAGING_SERVER=_couch/builds_external" >> $GITHUB_ENV
+        fi
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+    - name: Couch Start
+      run: ./scripts/travis/couch-start
+    - name: xsltprox install
+      run: sudo apt-get install xsltproc
+    - name: Create logs directory
+      run: mkdir tests/logs
+    - name: npm CI
+      run: npm ci
+    - name: Grunt Install
+      run: npm install -g grunt-cli
+    - name: Horti Install
+      run: npm install -g horticulturalist
+    - name: Configure Couch
+      run: ./scripts/travis/couch-config
+    - name: Echo Vars
+      run: |
+        echo "HORTI_BUILDS_SERVER=${UPLOAD_URL}/${BUILDS_SERVER}"
+        echo "--install=medic:medic:test-${TRAVIS_BUILD_NUMBER}"
+        echo "COUCH_URL=${COUCH_URL}"
+    - name: Curl Couch_url
+      run: curl ${COUCH_URL}
+    - name: horti setup
+      run: |
+        echo "COUCH_URL=$COUCH_URL HORTI_BUILDS_SERVER=$UPLOAD_URL/$BUILDS_SERVER"
+        COUCH_URL=$COUCH_URL HORTI_BUILDS_SERVER=$UPLOAD_URL/$BUILDS_SERVER horti --local --install=medic:medic:test-$TRAVIS_BUILD_NUMBER > tests/logs/horti.log &
+    - name: Test it!
+      run: node --stack_size=10000 `which grunt` ci-e2e
+    - name: Dump Couch logs
+      run: docker logs couch > tests/logs/couch.log 2>&1
+      if: ${{ always() }}
+    - name: Archive Results
+      uses: actions/upload-artifact@v2
+      with:
+        name: Results Artifact ${{ matrix.node-version }}
+        path: |
+          tests/results
+          tests/logs
+      if: ${{ failure() }}
+
+  publish:
+    needs: [test-e2e]
+    name: Publish branch build
+    runs-on: ubuntu-18.04
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Set UPLOAD_URL var
+      run: |
+        if [[ -z "$UPLOAD_URL" ]]; then
+        echo "UPLOAD_URL=https://staging.dev.medicmobile.org" >> $GITHUB_ENV
+        echo "BUILDS_SERVER=_couch/builds_external" >> $GITHUB_ENV
+        echo "STAGING_SERVER=_couch/builds_external" >> $GITHUB_ENV
+        fi
+    - name: Get branch name
+      uses: nelonoel/branch-name@1ea5c86cb559a8c4e623da7f188496208232e49f
+    - name: Set Travis Vars
+      run: |
+        echo "TRAVIS_BUILD_NUMBER=$GITHUB_RUN_ID" >> $GITHUB_ENV
+        echo "TRAVIS_BRANCH=$BRANCH_NAME" >> $GITHUB_ENV
+    - name: Publish
+      if: ${{ github.event_name != 'pull_request' }}
+      run: |
+        cd scripts/travis
+        npm ci
+        node ./publish.js

Gruntfile.js

@@ -14,7 +14,7 @@ const {
   STAGING_SERVER,
   BUILDS_SERVER,
   TRAVIS_BUILD_NUMBER,
-  WEBDRIVER_VERSION=85
+  WEBDRIVER_VERSION=90
 } = process.env;
 
 const releaseName = TRAVIS_TAG || TRAVIS_BRANCH || 'local-development';
@@ -521,8 +521,8 @@ module.exports = function(grunt) {
       'start-webdriver': {
         cmd:
           'mkdir -p tests/logs && ' +
-          './node_modules/.bin/webdriver-manager update && ' +
-          './node_modules/.bin/webdriver-manager start > tests/logs/webdriver.log & ' +
+          './node_modules/.bin/webdriver-manager update --versions.chrome 90.0.4430.24 && ' +
+          './node_modules/.bin/webdriver-manager start --versions.chrome 90.0.4430.24 &> tests/logs/webdriver.log & ' +
           'until nc -z localhost 4444; do sleep 1; done',
       },
       'check-env-vars':

api/src/auth.js

@@ -86,14 +86,17 @@ module.exports = {
   getUserCtx: req => {
     return get('/_session', req.headers)
       .catch(err => {
-        throw { code: 401, message: 'Not logged in', err: err };
+        if (err.statusCode === 401) {
+          throw { code: 401, message: 'Not logged in', err: err };
+        }
+        throw err;
       })
       .then(auth => {
         if (auth && auth.userCtx && auth.userCtx.name) {
           req.headers['X-Medic-User'] = auth.userCtx.name;
           return auth.userCtx;
         }
-        throw { code: 401, message: 'Not logged in' };
+        throw { code: 500, message: 'Failed to authenticate' };
       });
   },
 

api/src/middleware/authorization.js

@@ -31,27 +31,40 @@ module.exports = {
       .then(next);
   },
 
-  // blocks offline users not-authorized requests
-  offlineUserFirewall: (req, res, next) => {
+  handleAuthErrors: (req, res, next) => {
+    if (req.authErr) {
+      return serverUtils.error(req.authErr, req, res);
+    }
+
     if (!req.userCtx) {
-      return serverUtils.notLoggedIn(req, res);
+      return serverUtils.error('Authentication error', req, res);
+    }
+
+    next();
+  },
+
+  handleAuthErrorsAllowingAuthorized: (req, res, next) => {
+    if (req.authorized) {
+      return next();
     }
 
-    if (!auth.isOnlineOnly(req.userCtx) && !req.authorized) {
+    return module.exports.handleAuthErrors(req, res, next);
+  },
+
+  // blocks offline users not-authorized requests
+  offlineUserFirewall: (req, res, next) => {
+    if (req.userCtx && !auth.isOnlineOnly(req.userCtx) && !req.authorized) {
       res.status(FIREWALL_ERROR.code);
       return res.json(FIREWALL_ERROR);
     }
     next();
   },
 
+  // proxies unauthenticated requests to CouchDB
   // proxies online users requests to CouchDB
   // saves offline user-settings doc in the request object
   onlineUserProxy: (proxy, req, res, next) => {
-    if (!req.userCtx) {
-      return serverUtils.notLoggedIn(req, res);
-    }
-
-    if (auth.isOnlineOnly(req.userCtx)) {
+    if (!req.userCtx || auth.isOnlineOnly(req.userCtx)) {
       return proxy.web(req, res);
     }
 
@@ -62,10 +75,6 @@ module.exports = {
   // saves offline user-settings doc in the request object
   // used for audited endpoints
   onlineUserPassThrough:(req, res, next) => {
-    if (!req.userCtx) {
-      return serverUtils.notLoggedIn(req, res);
-    }
-
     if (auth.isOnlineOnly(req.userCtx)) {
       return next('route');
     }
@@ -80,10 +89,6 @@ module.exports = {
   },
 
   getUserSettings: (req, res, next) => {
-    if (!req.userCtx) {
-      return serverUtils.notLoggedIn(req, res);
-    }
-
     if (auth.isOnlineOnly(req.userCtx)) {
       return next();
     }