Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support BasicAuth in ReverseProxy for Development Servers #1707

Closed
DrTom opened this issue Apr 10, 2024 · 3 comments
Closed

Support BasicAuth in ReverseProxy for Development Servers #1707

DrTom opened this issue Apr 10, 2024 · 3 comments
Assignees
@DrTom
Labels
accepted technical
Milestone
7.6.1

Comments

@DrTom
Copy link
Contributor

DrTom commented Apr 10, 2024
edited
Loading

✅ Disable Basic-Auth in My-Service
☑️ Setup Basic-Auth in Deploy with exceptions : Admin ...
@DrTom DrTom mentioned this issue Apr 10, 2024
Closed
@neoheat
Copy link
Collaborator

neoheat commented Apr 22, 2024

hi @DrTom
We have an issue with the new basic auth in staging/test/etc.

Steps to reproduce (any browser)

  1. open https://staging.leihs.zhdk.ch
  2. enter login credentials in AAD
  3. --> short error popping up, but redirects anyway
  4. logged in in /admin
  5. remove /admin from URL
  6. --> basic auth prompt opens again

@DrTom
Copy link
Contributor Author

DrTom commented May 7, 2024
edited
Loading

This is an expected side effect of our current setup. It has to do with choices we made years ago and how browsers interact with websites. Details following.

The admin app/service accepts basic auth as an authentication method to supply an API token. You can only supply one Basic Auth Header. Therefore all routes under /admin are excluded from the "UI Basic Auth" enforced by the Reverse-Proxy.

Here is what happens:

  1. An user opens Leihs and (possibly via a number of links and redirects) will end up at some path which is protected by "Basic Auth".
  2. The server indicates requirement for Basic Auth and the browser acts on it with the Basic Auth dialog.
  3. The user supplies credentials and from here on the browser remembers those and will supply them with each following request.
  4. Everything seems to work as expected until the user hits some path within /admin. Note: every leihs admin will end up in /admin after sign-in succeeded.
  5. Since /admin accepts Basic Auth on its own it evaluates the supplied header. Since it doesn't contain a valid token the admin service must respond with a specific error response to the client. This is what you briefly can see on the screen. The browser then removes the Basic Auth information because it was indicated by the admin service as not valid and then reloads the page.
  6. Interaction with /admin works as expected from here.
  7. However if the users switches to some none /admin route the Basic Auth header is now missing, the Reverse Proxy reacts with an error request, the browser opens the Dialog and so on.

There is no real fix for this. Each solution has tradeoffs. We will have to discuss which compromises are best suited.

@DrTom
Copy link
Contributor Author

DrTom commented Jul 9, 2024

#1754

@DrTom DrTom closed this as completed Jul 9, 2024
@neoheat neoheat added this to the 7.6.0 milestone Jul 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DrTom DrTom

Labels
accepted technical
Projects
leihs project
Archived in project
Milestone
7.6.1
Development

No branches or pull requests
2 participants
@DrTom @neoheat