First login fail with 403 on GET /api/user

[mathieufrh]

Hello,

Environment

I just install semaphore for using it with my ansible on my debian server. The installation is OK. I use mysql 5.7, set the DB and the default user. Everything is OK. As I want to access it using my own domain I setup an Apache reverse proxy mapping semaphore.my.domain.net to 127.0.0.1:3000.

Actual behavior

Then I go to semaphore.my.domain.net and try to connect with either my default user name or my default user email address and my pasword. But it fails to log me in with a 403 on /api/user:

[GIN] 2016/09/28 - 07:03:38 | 204 |  226.065112ms | 192.168.30.219 |   POST    /api/auth/login
[GIN] 2016/09/28 - 07:03:38 | 200 |      73.751µs | 192.168.30.219 |   GET     /
[GIN] 2016/09/28 - 07:03:38 | 200 |    1.285614ms | 192.168.30.219 |   GET     /public/css/semaphore.css
[GIN] 2016/09/28 - 07:03:39 | 200 |    4.006176ms | 192.168.30.219 |   GET     /public/js/bundle.js
[GIN] 2016/09/28 - 07:03:39 | 403 |     312.633µs | 192.168.30.219 |   GET     /api/user
[GIN] 2016/09/28 - 07:03:39 | 200 |      52.628µs | 192.168.30.219 |   GET     /public/js/controllers/dashboard.js
[GIN] 2016/09/28 - 07:03:39 | 200 |      22.896µs | 192.168.30.219 |   GET     /public/html/abstract.html
[GIN] 2016/09/28 - 07:03:39 | 200 |      34.851µs | 192.168.30.219 |   GET     /public/js/controllers/login.js
[GIN] 2016/09/28 - 07:03:39 | 200 |      63.565µs | 192.168.30.219 |   GET     /public/js/controllers/projects/edit.js
[GIN] 2016/09/28 - 07:03:39 | 200 |      51.735µs | 192.168.30.219 |   GET     /public/html/auth/login.html
[GIN] 2016/09/28 - 07:03:39 | 200 |      68.441µs | 192.168.30.219 |   GET     /public/html/dashboard.html

Excpected behavior

I expect to be logged in after validating my user name/password on get redirecting to the dashboard.

Steps to reproduce

• Install ansible and semaphore
• Setup semaphore
• Create Apache rproxy (don't know if that is part of the issue but I can't check without)
• Try lo login for first time

[rakshazi]

Affects 2.0.4
OS: Ubuntu 16.04 x86_64
Installation method: binary on host system (wget + chmod)

It's interesting that this problem reproduced in my case after enabling HTTP Basic Auth in nginx (works as proxy). Without basic auth it works, without nginx as reverse proxy it works.

@matejkramny can you help us, please?

[matejkramny]

I'll look into it

[matejkramny]

Issue is that the browser sends an Authorization header along with the request and semaphore looks at that as an api key

[rakshazi]

@matejkramny thank you! Can you explain, how we can fix this problem on our side?
Basic Auth is required in my case.

[matejkramny]

I've fixed it in code.

You can locally patch line 18 of api/auth.go with:

	if authHeader := strings.ToLower(c.Request.Header.Get("authorization")); len(authHeader) > 0 && strings.Contains(authHeader, "bearer") {

Going to hopefully release this fix & other improvements later today.

[rakshazi]

Thank you! Waiting new release

[matejkramny]

progress tracker: https://github.com/ansible-semaphore/semaphore/projects/1