-
-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v4] API token get invalidated seemingly at random #12255
Comments
Are you using a custom plugin? |
No. The settings are generated through Settings -> API Tokens. |
Hello, Iam also having sort of same situation with both Next.js frontend and Strapi backend sitting at Digital Ocean App platform. |
I checked our deploy logs and the failed frontend deploys relate to backend deploys on our site, too. |
This sounds similar to what we're getting too over at #12212 |
Can't reproduce locally, need additional basic steps to reproduce 🤔 |
Unfortunately, it’s impossible to reproduce this locally. It only seems to happen in a remote deployment environment. I’ve been working on this project since December and the issue came up only after we set up the prod env two days ago. |
@ovlb Do you find that if you point your local version to look at the same database as your deployed version, that tokens don't work across both as shown here?: I was finding that to be the case, in addition to the tokens becoming seemingly randomly invalidated on the hosted environment. Are tokens somehow linked to the environment the service is deployed to? And perhaps changes in the environment, or the service perhaps being shutdown/moved and restarted on a different physical server on Digital Ocean, or in my case Heroku, is causing them to become invalid? |
@MichaelLegg Yup, it’s basically the same. |
Some more testing around this, running locally. If you create a token on a machine where the backend Strapi service is running (npm run develop), it works fine. it even continues to work if you restart the Strapi service or reboot the machine. If you try to use that token on a different machine that's also locally running the Strapi service, you get a 403 (to be clear, both are pointing at the same, hosted database). Are API tokens stored locally on the machine they're generated on as opposed to in the database? |
Ah. So correct me if I'm wrong, but it looks like a Strapi instance will generate it's own API_TOKEN_SALT environment variable the first time you create an API token (or just when the env variable doesn't already exist). It then uses this salt going forward to validate and generate API tokens. These obviously aren't committed - and since one didn't exist (for me at least) in my .env file when I first deployed to my hosting platform (because I hadn't yet created an API token), I never ended up configuring it on there. Then - since I'm currently hosting on shared infrastructure that shuts itself down after a period of inactivity, the API_TOKEN_SALT environment variable was getting recreated every time it was spooled back up, and the environment variables loaded in. I'm unsure if this is the same issue you're having @ovlb, but that seems likely to be the issue in my instance. EDIT: I'm not sure what the solution here would be - it's not technically a bug, but it could perhaps be a good idea if the first time this environment variable gets created, it warns in the UI that it's been added, so that developers know to add the variable to their .env. |
Thanks for investigating this. I'm already in the weekend. Will verify if it's similar on our side on Monday. |
No worries. Hopefully it's as simple as that. Taking a looking at the docs for v4, they currently suggest that the salt should get automatically stored in /config/env/admin.js, and that you can optionally put it in your .env instead. Looking in my admin.js however, it doesn't seem to have been added automatically - so a possible bug there. It also seems like a bit of a security issue to automatically populate a .js file with a salt, even if it was working. |
It's exactly that, and it's why I couldn't reproduce it. |
Unfortunately I am also experiencing this with the basic JWT token to validate requests for strapi. Any idea? |
Set the |
Hey, i have set the API TOKEN SALT in my env’s. And also as statet per docs in admin.js in the object: apiToken: { This does not change the behaviour.. |
Are you passing a static salt key in your deployed environment? Where are you hosting? |
Jo Derrick, Yes I am.
And I am hosting stuff on Heroku. I see the correct salt key outputted in the console.log. So things are static over each deployment. |
@kevinvugts is it every deployment you see the failure? |
So, finally got back to the project. It seems like the issue is solved for me too by adding the Salt to my deploy environment. @kevinvugts Have you tried deploying without setting @derrickmehaffy Can you explain the reasons that made you develop the feature in this way? Wouldn’t it be possible to generate a UUID once during project bootstrapping (similar to the |
It's set in the filesystem, not in the database. This is normal for most configuration options in Strapi such as the U&P JWT secret and Admin JWT secret. There was some odd choices we made with how to auto-generate these secrets because we saw a lot of people in v3 not changing the defaults which is extremely insecure (even though we clearly documented how to) so a decision was made to forcefully generate new random ones if they weren't defined. The decision was slightly flawed by us doing it in a .env file (which has been changed now for production) and instead we will simply throw an error if the user doesn't set the keys via the normal means. Our purpose is to help everyone be made aware of how to properly secure their applications and the simple answer is using environment variables properly. This will be made more clear when we completely overhaul our deployment documentation in the future. |
Gotcha, thanks :) |
Hopefully it's going to be fixed by #12287 |
This issue has been mentioned on Strapi Community Forum. There might be relevant details there: https://forum.strapi.io/t/modifying-api-token-lifetime/16053/5 |
@kevinvugts, did you try to generate a new API key after setting the SALT env var ? It's what i had to do to make it work. (and no need to change the config file) |
This issue has been mentioned on Strapi Community Forum. There might be relevant details there: https://forum.strapi.io/t/api-token-salt-generation-strategy/37040/1 |
Bug report
Describe the bug
We have a Strapi instance running on Digital Ocean. We use the API from it to deploy a site on Netlify.
When creating an API key, the first build always succeeds. After that it gets weird. We had some tokens which worked for two or three deploys, another one which worked for around 24 hours. The last two were returning 401 errors after the first deploy.
Here’s what we ruled out so far:
The problem did not show up during local development but only since we use the «proper» deploy with DO/Netlify.
For now, we’ve changed the access permissions for the necessary post types to be public, as we must publish the prod site this evening. But that’s obviously not a long term solution.
Is there any config we might have missed?
Steps to reproduce the behavior
Expected behavior
An API key should work.
System
Additional context
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered: