Follow-up from "Add internal API endpoint for workspace authorize user access"

MRs:

• Check port on workspace authorizer (!205543 - merged)

Description

The following discussions from !203350 (merged) should be addressed:

• @vtak started a discussion: (+2 comments)

  To ensure we maintain backwards compatibility, we will have to ensure we only allow users to access ports which are mentioned in the devfile. So let's do that in a quick followup.

  Post that, I'd like to explore this idea of just allowing users to access whatever port they want in their workspace without the need to explicitly mentioning in the devfile. But for now, let's keep the behaviour as is and do this as a followup.

• @vtak started a discussion:

  suggestion

  This won't happen. We are always sending only the host name. Let's remove this in a followup since we control the contract. That way, we don't even have to rescue for URI::InvalidURIError.

• @DylanGriffith started a discussion:

  Question (non-blocking): @cwoolley-gitlab do you know if we have a declarative policy that we can use for authorization rather than implementing the logic inline? This has become a somewhat hot-button issue lately. You can read !203350 (comment 2735205867) for why we care about this. I wouldn't say this is blocking but I'd be surprised if we didn't already have a declarative policy that encoded the authorization we care about here.