Web UI Modern Auth

[andrewbaldwin44]

Fixes #2517

Proposal

• Add a new page to the modern UI that allows for users to authenticate with username / password or with a provider
• Remove flask_basicauth in favor of flask_login. The proposal is to move the responsibility of security and maintainability onto the user. Locust will simply specify which routes need to be protected, but the user will be the one responsible for implementing the protection. This has the added benefit of providing flexibility as to how users authenticate to the app
• Add an example of how authentication can be implemented by the user
• Add documentation on how to implement authentication
• Add tests

[cyberw]

Cool stuff. See comments. Can you have an extra look and ensure there are no remnants (documentation etc) of the old stuff? Pretty sure we can nuke the AuthCredentialsError class for example.

[cyberw]

Looking good! Only that one last comment about --web-auth :)

[cyberw]

Given that the package we use is called flask-login, perhaps it makes more sense to name the argument --login instead of --auth (and the function parameter name etc. sorry if i'm nit-picking but argument names are really hard to change after the fact. this is my last comment, I swear :)

[andrewbaldwin44]

Yup that makes sense! What do you think about --web-login, that way it is clear it is only for the web UI? (I pushed it so if you like it you can merge it, otherwise I can change it again :) )

[cyberw]

rename this to web_login? or maybe just login...

[cyberw]

Change this to configargparse.SUPPRESS to hide it from the help text and let the error message speak for itself :)

[cyberw]

I made two more comments :)

And also... I have another thought. Maybe we dont even need a command line argument to enable it?

Perhaps we can just check whether someone has registered a user_loader callback (by calling environment.web_ui.login_manager.user_loader(load_user))? That should already be 1:1 with our users wanting to enable login, right?

[andrewbaldwin44]

Unfortunately I don't think there's a clean way to get around having an argument. The issue is that without the argument we need to initialize the LoginManager. And we can't initialize the LoginManager without a user loader without getting an error Missing user_loader or request_loader.... And we can't add a "placeholder" user_loader because then all users will be seeing the login page

[andrewbaldwin44]

I guess we could have the users set their user_loader on the web_ui (as in environment.web_ui.user_loader = my_user_loader). Then we would have to initialize the login_manager in the auth_required_if_enabled and enable auth if a user_loader is provided. My issue with doing it this way is we could be limiting a lot of flexibility by not exposing the login_manager to the user

[cyberw]

I see! Sounds messy. Lets keep the parameter then. Ok to merge?

[andrewbaldwin44]

Let's do it :)

[cyberw]

Agh. I think I made a mistake when merging (or something was wrong with the changes themselves)

Never mind, it is fine, I just made a mistake when testing it :)