bindle icon indicating copy to clipboard operation
bindle copied to clipboard
verified publisher icon deislabs

Basic auth login issue

Open vdice opened this issue 3 years ago • 7 comments

I'm having trouble logging in with basic auth. Tested with latest commit on main (as of writing: d62d537bb096fb8ce25cabb731471b7a500d7e10) and most recent v0.8.0 tag.

However, I may be missing something. Here's my flow:

  1. Generate htpassword file, start bindle server
$ echo ${PASSWORD} | htpasswd -cBi ./htpassword admin
Adding password for user admin

$ AUTH_MODE='--htpasswd-file ./htpassword' make serve
cargo run --features cli --bin bindle-server -- --directory /Users/vdice/.bindle/bindles --address 127.0.0.1:8080   --htpasswd-file ./htpassword
    Finished dev [unoptimized + debuginfo] target(s) in 0.07s
     Running `target/debug/bindle-server --directory /Users/vdice/.bindle/bindles --address '127.0.0.1:8080' --htpasswd-file ./htpassword`
2022-02-04T17:59:10.224917Z  WARN bindle_server: No config file loaded error=failed to read TOML file /Users/vdice/Library/Application Support/bindle/server.toml: No such file or directory (os error 2)
2022-02-04T17:59:10.224995Z  WARN bindle_server: No keyring.toml found. Using default keyring.
2022-02-04T17:59:10.225172Z  INFO bindle_server: Using verification strategy of GreedyVerification
2022-02-04T17:59:10.225505Z  INFO bindle_server: Starting server at 127.0.0.1:8080, and serving bindles from /Users/vdice/.bindle/bindles
2022-02-04T17:59:10.225520Z  INFO bindle_server: Using FileProvider
2022-02-04T17:59:10.225528Z  INFO bindle_server: Auth mode: HTTP Basic Auth
2022-02-04T17:59:10.225677Z DEBUG bindle::provider::file: Creating new file provider path=/Users/vdice/.bindle/bindles cache_size=50
2022-02-04T17:59:10.225755Z DEBUG bindle::provider::file: warming index
2022-02-04T17:59:10.225768Z  INFO bindle::provider::file: Beginning index warm path=/Users/vdice/.bindle/bindles
2022-02-04T17:59:10.225965Z  INFO bindle::provider::file: Loading invoice into search index path=/Users/vdice/.bindle/bindles/invoices/26a53c8670e4bbcb1ec1adbb0f87b6a28a363636835e67d7ebd4f7cba6db3753/invoice.toml
2022-02-04T17:59:10.242246Z  INFO bindle::provider::file: Loading invoice into search index path=/Users/vdice/.bindle/bindles/invoices/9952d6c87384a10846abdb9cd8a84796bb36b3d12140144f3b59b1d77cba4811/invoice.toml
2022-02-04T17:59:10.257905Z  INFO bindle::provider::file: Loading invoice into search index path=/Users/vdice/.bindle/bindles/invoices/59ec977e4fcca995e928e61bb4f25869a058f85479a6b63ea0e4d61e2794b4c1/invoice.toml
2022-02-04T17:59:10.273870Z  INFO bindle::provider::file: Loading invoice into search index path=/Users/vdice/.bindle/bindles/invoices/c809013db4f25a514a3d9dea69edbe10c81a75e625cab979f238e35ead864ed0/invoice.toml
2022-02-04T17:59:10.289691Z  INFO bindle::provider::file: Loading invoice into search index path=/Users/vdice/.bindle/bindles/invoices/912a4ee7f7401408279eb3c646591ecb33953c7cffc01086df50ee891e2c4911/invoice.toml
2022-02-04T17:59:10.305543Z DEBUG bindle::provider::file: Warmed index total_indexed=5
2022-02-04T17:59:10.305658Z DEBUG bindle::server: No TLS config found, starting server in HTTP mode
  1. Attempt to login:
$ BINDLE_URL="http://127.0.0.1:8080/v1" BINDLE_HTTP_USER="admin" BINDLE_HTTP_PASSWORD="${PASSWORD}" bindle login
Error contacting server: The request could not be handled by the server. Verify your Bindle server URL
  1. Bindle server logs:
2022-02-04T18:00:09.483206Z  INFO request{method=GET path=/v1/login version=HTTP/1.1 remote.addr=127.0.0.1:56443}: warp::filters::trace: processing request
2022-02-04T18:00:09.483632Z ERROR request{method=GET path=/v1/login version=HTTP/1.1 remote.addr=127.0.0.1:56443}: bindle::server::handlers::v1: Unable to parse device auth url error=RelativeUrlWithoutBase
2022-02-04T18:00:09.483725Z DEBUG request{method=GET path=/v1/login version=HTTP/1.1 remote.addr=127.0.0.1:56443}: bindle::server::reply: Parsed accept header into list accept_value=application/toml accept_items=["application/toml"]
2022-02-04T18:00:09.483784Z DEBUG request{method=GET path=/v1/login version=HTTP/1.1 remote.addr=127.0.0.1:56443}: bindle::server::reply: Selected a best-fit MIME best_fit=application/toml
2022-02-04T18:00:09.483865Z  INFO request{method=GET path=/v1/login version=HTTP/1.1 remote.addr=127.0.0.1:56443}: warp::filters::trace: finished processing with success status=400

vdice avatar Feb 04 '22 18:02 vdice

This looks like it is somehow hitting the oauth flow code for some reason

2022-02-04T18:00:09.483632Z ERROR request{method=GET path=/v1/login version=HTTP/1.1 remote.addr=127.0.0.1:56443}: bindle::server::handlers::v1: Unable to parse device auth url error=RelativeUrlWithoutBase

thomastaylor312 avatar Feb 04 '22 18:02 thomastaylor312

Oh @vdice because it is HTTP basic auth, you don't need to bindle login. You can just set the user and password and be good to go

thomastaylor312 avatar Feb 04 '22 18:02 thomastaylor312

I think the solution here is:

  • Document this behavior
  • Update the client to just return if http basic auth is set

thomastaylor312 avatar Feb 04 '22 18:02 thomastaylor312

Ah, I see. Thanks @thomastaylor312. Path forward sgtm.

vdice avatar Feb 04 '22 18:02 vdice

@thomastaylor312 could the login flow w/ basic auth also create a session token with the provided un/pw so that it doesn't need to be passed in on further actions again? a la oidc? Or is this an anti-pattern w/ basic auth?

vdice avatar Feb 04 '22 18:02 vdice

I think that could work! You'd store it just like an OIDC token. We should probably capture that in another issue if you want to go that way

thomastaylor312 avatar Feb 04 '22 19:02 thomastaylor312

Oops, there are actually a few items needed to resolve this issue, as mentioned in https://github.com/deislabs/bindle/issues/302#issuecomment-1030246302

vdice avatar Feb 23 '22 19:02 vdice