go-algorand icon indicating copy to clipboard operation
go-algorand copied to clipboard

Published 20 hours ago verified publisher icon algorand

New DisableAPIAuth option should ignore all passed API tokens

Open pbennett opened this issue 2 years ago • 2 comments
trafficstars

The new DisableAPIAuth config option added in 3.18 (https://github.com/algorand/go-algorand/pull/5625) is quite nice, but unfortunately for any code that already passes tokens, the server considers it an invalid API token.

Shouldn't it simply ignore any token passed in? If no token is acceptable, shouldn't 'any' token just be ignored ? This seems the easiest path to allowing a server to migrate to not requiring tokens. Existing callers (with pre-arranged token) continue to work, but new callers don't have to pass one in.

  • Software version: 3.18.0

Steps to reproduce

  1. Set DisableAPIAuth: true in config.json of server. Call API setting X-Algo-API-Token to any possible API token value, ie: -H X-Algo-Api-Token:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
  2. The call will fail with 'Invalid API token' even though api auth is disabled.

pbennett avatar Sep 18 '23 21:09 pbennett

In fact, it appears that passing the X-Algo-API-Token even with a blank token is considered invalid.

pbennett avatar Sep 18 '23 21:09 pbennett

I think the solution here is to simply not add the MakeAuth middleware when node.Config().DisableAPIAuth is true. https://github.com/algorand/go-algorand/blob/d4b40867283ba647ddc21cf560215993a08cf11e/daemon/algod/api/server/router.go#L88

joe-p avatar Oct 20 '23 18:10 joe-p

I'm looking at this now (apologies for the delay), it appears we did not correctly disable the authentication check. Preparing a follow-up PR.

gmalouf avatar Jul 12 '24 20:07 gmalouf