Skip to content

fix: forward incoming auth headers in webpack dev proxy#1013

Open
mturley wants to merge 1 commit intokubeflow:notebooks-v2from
mturley:fix/dev-proxy-forward-auth-headers
Open

fix: forward incoming auth headers in webpack dev proxy#1013
mturley wants to merge 1 commit intokubeflow:notebooks-v2from
mturley:fix/dev-proxy-forward-auth-headers

Conversation

@mturley
Copy link
Copy Markdown

@mturley mturley commented Apr 3, 2026

Description

The webpack dev server captures the kubeconfig token at startup and sets it as a static proxy header via headers: getProxyHeaders(). This overwrites any dynamically forwarded auth headers from a host backend proxy, breaking dev impersonation (e.g. DEV_IMPERSONATE_USER/DEV_IMPERSONATE_PASSWORD).

This PR replaces the static headers approach with an onProxyReq callback that dynamically forwards the Authorization header from each incoming request when present, falling back to the startup-captured token for standalone dev mode.

The same fix was applied to the model-registry UI in kubeflow/hub#2544.

Changes

  • Split getProxyHeaders() into:
    • getKubeconfigToken() — captures kubeconfig token at startup (fallback)
    • getProxyHeaders() — returns only static headers (kubeflow-userid for internal auth)
    • onProxyReq — dynamically forwards Authorization and x-forwarded-access-token headers per request
  • Proxy config now uses both headers: getProxyHeaders() (static) and onProxyReq (dynamic)

How Has This Been Tested?

Tested manually in the model-registry module (same fix pattern) against an ODH cluster:

  1. Started the host backend with DEV_IMPERSONATE_USER and DEV_IMPERSONATE_PASSWORD set
  2. Verified the bug: with static headers, the impersonated user's token was overwritten by the startup token
  3. Verified the fix: with onProxyReq, the incoming auth header from the host proxy is forwarded correctly

@mturley @claude
fix(workspaces): forward incoming auth headers in webpack dev proxy
3494477 
The webpack dev server captures the kubeconfig token at startup and sets
it as a static proxy header. This overwrites any dynamically forwarded
auth headers from a host backend proxy, breaking dev impersonation.

Replace the static headers approach with an onProxyReq callback that
dynamically forwards the Authorization header from each incoming request
when present, falling back to the startup-captured token for standalone
dev mode.

Signed-off-by: Mike Turley <mturley@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Mike Turley <mike.turley@alum.cs.umass.edu>
@github-project-automation github-project-automation Bot moved this to Needs Triage in Kubeflow Notebooks Apr 3, 2026
@google-oss-prow google-oss-prow Bot added the area/frontend area - related to frontend components label Apr 3, 2026
@google-oss-prow google-oss-prow Bot requested review from ederign and paulovmr April 3, 2026 19:19
@google-oss-prow
Copy link
Copy Markdown

google-oss-prow Bot commented Apr 3, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign paulovmr for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow Bot added area/v2 area - version - kubeflow notebooks v2 size/M labels Apr 3, 2026
@mturley mturley mentioned this pull request Apr 3, 2026
Merged
5 tasks
@mturley mturley changed the title fix(workspaces): forward incoming auth headers in webpack dev proxy fix: forward incoming auth headers in webpack dev proxy Apr 3, 2026
thaorell
thaorell approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown

@thaorell thaorell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

I have tested and the changes work accordingly, @caponetto can you (optionally) offer a secondary review on this?

@google-oss-prow google-oss-prow Bot added the lgtm label Apr 6, 2026
@thaorell
Copy link
Copy Markdown

thaorell commented Apr 6, 2026

/ok-to-test

@caponetto
Copy link
Copy Markdown

caponetto commented Apr 6, 2026

Thanks @mturley!

/lgtm

@ederign
Copy link
Copy Markdown
Member

ederign commented Apr 7, 2026

/hold

We are looking with the MR folks to see why they did this in this way.

@mturley
Copy link
Copy Markdown
Author

mturley commented Apr 28, 2026

@ederign the MR PR is merged now, should we unhold this one? Not sure if I missed discussions about the approach. cc @lucferbux

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ederign ederign Awaiting requested review from ederign

@paulovmr paulovmr Awaiting requested review from paulovmr

1 more reviewer

@thaorell thaorell thaorell approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@caponetto caponetto

@thaorell thaorell

Labels

area/frontend area - related to frontend components area/v2 area - version - kubeflow notebooks v2 do-not-merge/hold lgtm ok-to-test size/M

Projects

Kubeflow Notebooks
Status: Needs Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mturley @thaorell @caponetto @ederign