(core) clean up interaction of forward auth with session

Summary:
For self-hosted Grist, forward auth has proven useful, where
some proxy wrapped around Grist manages authentication, and
passes on user information to Grist in a trusted header.
The current implementation is adequate when Grist is the
only place where the user logs in or out, but is confusing
otherwise (see https://github.com/gristlabs/grist-core/issues/207).
Here we take some steps to broaden the scenarios Grist's
forward auth support can be used with:

  * When a trusted header is present and is blank, treat
    that as the user not being logged in, and don't look
    any further for identity information. Specifically,
    don't look in Grist's session information.
  * Add a `GRIST_IGNORE_SESSION` flag to entirely prevent
    Grist from picking up identity information from a cookie,
    in order to avoid confusion between multiple login methods.
  * Add tests for common scenarios.

Test Plan: added tests

Reviewers: georgegevoian

Reviewed By: georgegevoian

Differential Revision: https://phab.getgrist.com/D3482

test/nbrowser/testServer.ts

@@ -37,6 +37,7 @@ export class TestServerMerged implements IMochaServer {
   public removeLogin: HomeUtil["removeLogin"];
 
   private _serverUrl: string;
+  private _proxyUrl: string|null = null;
   private _server: ChildProcess;
   private _exitPromise: Promise<number|string>;
   private _starts: number = 0;
@@ -86,6 +87,9 @@ export class TestServerMerged implements IMochaServer {
     const stubCmd = '_build/stubs/app/server/server';
     const isCore = await fse.pathExists(stubCmd + '.js');
     const cmd = isCore ? stubCmd : '_build/core/app/server/devServerMain';
+    // If a proxy is set, use a single port - otherwise we'd need a lot of
+    // proxies.
+    const useSinglePort = this._proxyUrl !== null;
 
     // The reason we fork a process rather than start a server within the same process is mainly
     // logging. Server code uses a global logger, so it's hard to separate out (especially so if
@@ -106,7 +110,10 @@ export class TestServerMerged implements IMochaServer {
       GRIST_SERVE_SAME_ORIGIN: 'true',
       APP_UNTRUSTED_URL : "http://localhost:18096",
       // Run with HOME_PORT, STATIC_PORT, DOC_PORT, DOC_WORKER_COUNT in the environment to override.
-      ...(isCore ? {
+      ...(useSinglePort ? {
+        APP_HOME_URL: this.getHost(),
+        GRIST_SINGLE_PORT: 'true',
+      } : (isCore ? {
         HOME_PORT: '8095',
         STATIC_PORT: '8095',
         DOC_PORT: '8095',
@@ -118,7 +125,7 @@ export class TestServerMerged implements IMochaServer {
         DOC_PORT: '8100',
         DOC_WORKER_COUNT: '5',
         PORT: '0',
-      }),
+      })),
       // This skips type-checking when running server, but reduces startup time a lot.
       TS_NODE_TRANSPILE_ONLY: 'true',
       ...process.env,
@@ -186,7 +193,7 @@ export class TestServerMerged implements IMochaServer {
 
   public getHost(): string {
     if (this.isExternalServer()) { return process.env.HOME_URL!; }
-    return this._serverUrl;
+    return this._proxyUrl || this._serverUrl;
   }
 
   public getUrl(team: string, relPath: string) {
@@ -200,6 +207,12 @@ export class TestServerMerged implements IMochaServer {
     return `${url}${relPath}`;
   }
 
+  // Configure the server to be accessed via a proxy. You'll need to
+  // restart the server after changing this setting.
+  public updateProxy(proxyUrl: string|null) {
+    this._proxyUrl = proxyUrl;
+  }
+
   /**
    * Returns whether the server is up and responsive.
    */

test/server/lib/Authorizer.ts

@@ -17,6 +17,7 @@ let server: FlexServer;
 let dbManager: HomeDBManager;
 
 async function activateServer(home: FlexServer, docManager: DocManager) {
+  await home.loadConfig();
   await home.initHomeDBManager();
   home.addHosts();
   home.addDocWorkerMap();