Error code 14 on 401 unauthorized

[dasois]

The grpc-web client transforms a 401 into status code 14 .

The definition suggests, that it should be error code 16 in this case.

I have the requirement to handle 401 errors differently than if the backend would be unavailable per se.

[stanley-cheung]

Sorry for the late reply. But where did you see that 401 got turned into code 14?

Here: https://github.com/grpc/grpc-web/blob/master/javascript/net/grpc/web/statuscode.js#L156 we mapped 401 to 16.

[harmangakhal]

I have a similar problem; I've set up a web application using
grpc-web/envoy and have an external authorization
HTTP filter than performs JWT authentication of the client requests before allowing them through to the grpc server. When it returns,
a 401 response on JWT authentication failure, I think the response is not propagated because https://github.com/grpc/grpc-web/blob/master/javascript/net/grpc/web/grpcwebclientreadablestream.js#L198-L207 does not handle http_error.
It just default's to UNAVAILABLE so I get a
Object { code: 14, message: "Http response at 400 or 500 level" } response but
the HTTP POST response status code header returns a 401.
Seems like it's getting caught in,

grpc-web/javascript/net/grpc/web/grpcwebclientreadablestream.js

Lines 212 to 218 in e2f999a

	if (self.onErrorCallback_) {
	self.onErrorCallback_({
	code: grpcStatusCode,
	message: ErrorCode.getDebugMessage(lastErrorCode)
	});
	}
	return;

because the error message comes from,
https://github.com/google/closure-library/blob/4f1e354899494227cdf6ddeac9fa1f5b931b39fb/closure/goog/net/errorcode.js#L115-L116.

@stanley-cheung Is this intended behavior? Must my authentication server be a grpc server?

[asv]

Have a similar problem as @haberman. @stanley-cheung could you help us? This is a serious production blocker for my team :(

[asv]

@haberman I found a fast & dirty workaround.
From my ext_authz handler:

func (s *server) Check(ctx context.Context, req *envoyauthz.CheckRequest) (*envoyauthz.CheckResponse, error) {
	headers := req.GetAttributes().GetRequest().GetHttp().GetHeaders()
	sessionCookie, err := parseCookie(headers["cookie"], sessionCookieName)
	if err != nil {
		return responseDenied("can't parse session cookie")
	}
    //... further it doesn’t matter
}

func responseDenied(reason string) (*envoyauthz.CheckResponse, error) {
	return &envoyauthz.CheckResponse{
		Status: &rpc.Status{
			Code:    int32(rpc.UNAUTHENTICATED),
			Message: "Denied: " + reason,
		},
                // Workaround for issue https://github.com/grpc/grpc-web/issues/569
		HttpResponse: &envoyauthz.CheckResponse_DeniedResponse{
			DeniedResponse: &envoyauthz.DeniedHttpResponse{
				Status: &envoytype.HttpStatus{
					Code: envoytype.StatusCode_OK,
				},
				Headers: []*envoycore.HeaderValueOption{
					{
						Append: &types.BoolValue{
							Value: false,
						},
						Header: &envoycore.HeaderValue{
							Key:   "grpc-status",
							Value: strconv.Itoa(int(codes.Unauthenticated)),
						},
					},
					{
						Append: &types.BoolValue{
							Value: false,
						},
						Header: &envoycore.HeaderValue{
							Key:   "grpc-message",
							Value: reason,
						},
					},
				},
			},
		},
	}, nil
}