Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HBIP check hangs when connection is slow or ends with a network error #261

Closed
asiletto opened this issue Feb 19, 2020 · 6 comments · Fixed by #288
Closed

HBIP check hangs when connection is slow or ends with a network error #261

asiletto opened this issue Feb 19, 2020 · 6 comments · Fixed by #288
Assignees
@zepatrik
Labels
bug Something is not working.
Projects
Maintainer's Board
Milestone
v0.2.0-alpha.1

Comments

@asiletto
Copy link

asiletto commented Feb 19, 2020
edited

Running the quickstart at https://www.ory.sh/docs/next/kratos/quickstart I cannot login.

Reproducing the bug
I run the kratos quickstart

$ git clone https://github.com/ory/kratos.git
$ cd kratos
$ docker pull oryd/kratos:latest-sqlite
$ docker pull oryd/kratos-selfservice-ui-node:latest
$ docker-compose -f quickstart.yml up --build --force-recreate

the docker containers are up and I see the logs on the console


[root ~]# docker -v
Docker version 17.09.0-ce, build afdb6d4

[root ~]# docker-compose -v
docker-compose version 1.25.4, build 8d51620a

[root ~]# docker ps
CONTAINER ID        IMAGE                                    COMMAND                  CREATED             STATUS              PORTS                                                            NAMES
5a171f54a0bd        oryd/oathkeeper:v0.35.5-beta.1           "oathkeeper serve ..."   17 minutes ago      Up 17 minutes       0.0.0.0:4455-4456->4455-4456/tcp                                 kratos_oathkeeper_1
a23cb1ed6186        oryd/kratos:latest-sqlite                "kratos serve -c /..."   17 minutes ago      Up 17 minutes       0.0.0.0:4433-4434->4433-4434/tcp                                 kratos_kratos_1
956e6f92fc6a        oryd/kratos-selfservice-ui-node:latest   "/bin/sh -c 'npm r..."   17 minutes ago      Up 17 minutes       3000/tcp, 0.0.0.0:4435->4435/tcp                                 kratos_kratos-selfservice-ui-node_1
4008af630664        oryd/mailslurper:latest-smtps            "./mailslurper"          17 minutes ago      Up 17 minutes       2500/tcp, 8080/tcp, 8085/tcp, 0.0.0.0:4436-4437->4436-4437/tcp   kratos_mailslurper_1
0d7bccd4cbef        oryd/keto:v0.4.4-alpha.1                 "keto serve"             About an hour ago   Up About an hour    0.0.0.0:4466->4466/tcp                                           keto-server
0c9b9623d868        oryd/hydra-login-consent-node:v1.2.3     "/bin/sh -c 'npm s..."   3 hours ago         Up 3 hours          0.0.0.0:9020->3000/tcp                                           hydra-login-consent-sample
7850f06a04ac        oryd/hydra:v1.2.3                        "hydra serve all"        3 hours ago         Up 3 hours          0.0.0.0:9000->4444/tcp, 0.0.0.0:9001->4445/tcp                   hydra-server
7ddd93310276        mysql:5.7                                "docker-entrypoint..."   3 hours ago         Up 3 hours          0.0.0.0:3306->3306/tcp, 33060/tcp                                hydra-mysql
ac1d856144b8        redis                                    "docker-entrypoint..."   5 weeks ago         Up 5 weeks          0.0.0.0:6379->6379/tcp                                           redis-api
49b0760d0e5e        nginx                                    "nginx -g 'daemon ..."   2 years ago         Up 2 hours          0.0.0.0:80->80/tcp                                               docker-nginx

I try to register a new account at http://127.0.0.1:4455/auth/registration?request=45057136-d6fc-4e5c-aef1-9df5e54b2658

I click sign-up and the browser hangs indefinitely.

the call to http://127.0.0.1:4455/.ory/kratos/public/self-service/browser/flows/registration/strategies/password?request=45057136-d6fc-4e5c-aef1-9df5e54b2658 wait forever for a response

Server logs

oathkeeper_1                  | [cors] 2020/02/19 14:14:38 Handler: Actual request
oathkeeper_1                  | [cors] 2020/02/19 14:14:38   Actual response added headers: map[Access-Control-Allow-Credentials:[true] Access-Control-Allow-Origin:[*] Access-Control-Expose-Headers:[Content-Type] Vary:[Origin]]
oathkeeper_1                  | {"level":"info","method":"POST","msg":"started handling request","remote":"172.20.0.1:48486","request":"/.ory/kratos/public/self-service/browser/flows/registration/strategies/password?request=45057136-d6fc-4e5c-aef1-9df5e54b2658","time":"2020-02-19T14:14:38Z"}
kratos_1                      | time="2020-02-19T14:14:38Z" level=info msg="started handling request" method=POST name="public#http://127.0.0.1:4455/.ory/kratos/public/" remote="172.20.0.5:43296" request="/self-service/browser/flows/registration/strategies/password?request=45057136-d6fc-4e5c-aef1-9df5e54b2658"
@asiletto asiletto changed the title error recreating the quickstart at error recreating the quickstart at https://www.ory.sh/docs/next/kratos/quickstart Feb 19, 2020
@aeneasr
Copy link
Member

aeneasr commented Feb 19, 2020

Thanks, I'll investigate. Is the kratos_1 message the last one you're seeing?

@asiletto
Copy link
Author

@aeneasr yes that is the last message

@asiletto
Copy link
Author

The problem seems to be due to the containers not having direct access to internet in my installation (I am trying to do a demo for my enterprise). Maybe there is some service that validates the password against a common password database and requires internet access?

Running the quickstart again on a clean digitalocean droplet seems to solve the problem. Everything is working

@aeneasr
Copy link
Member

aeneasr commented Feb 19, 2020

Ahh yeah, that is definitely the problem! We're using the Have I Been Pwnd API to check the (obfuscated of course) password and see if it has already been leaked before. I though we had a failsafe that covers cases like yours but it appears that the retry is running too long.

Nice find, I was just about to say that I can't reproduce your issue :)

@aeneasr aeneasr added the bug Something is not working. label Feb 19, 2020
@aeneasr aeneasr changed the title error recreating the quickstart at https://www.ory.sh/docs/next/kratos/quickstart HBIP check hangs when connection is slow or ends with a network error Feb 19, 2020
@aeneasr aeneasr added this to the v0.1.2-alpha.1 milestone Feb 19, 2020
@aeneasr aeneasr added this to To do in Maintainer's Board via automation Feb 19, 2020
aeneasr added a commit that referenced this issue Mar 15, 2020
@aeneasr
fix: Use resilient client for HIBP lookup
15e15f1 
Closes #261
@aeneasr aeneasr mentioned this issue Mar 15, 2020
Merged
Maintainer's Board automation moved this from To do to Done Mar 15, 2020
aeneasr added a commit that referenced this issue Mar 15, 2020
@aeneasr
fix: Use resilient client for HIBP lookup (#288)
735b435 
Closes #261
@davidthor
Copy link

@aeneasr is there any way to disable this, and any other features that require network calls, in the Kratos config? I’d like to be able to control/inventory the external calls being made from services for whitelisting.

@aeneasr
Copy link
Member

aeneasr commented Aug 21, 2020

It can't be disabled but the current setup ignores network errors: 735b435#diff-81086275e5192de90683a5cb302f8d52R64

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zepatrik zepatrik

Labels
bug Something is not working.
Projects
Maintainer's Board
  
Done
Milestone
v0.2.0-alpha.1
Development

Successfully merging a pull request may close this issue.

fix: Use resilient client for HIBP lookup ory/kratos
4 participants
@davidthor @asiletto @aeneasr @zepatrik