cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon fnproject

Basic auth credentials are omitted on api requests

Open jansauer opened this issue 5 years ago • 1 comments

It is possible to setup a context with a api url that contains authentication credentials for basic auth but when the cli does request to the api they get omitted.

Steps to reproduce:

  1. Generate some
$ htpasswd -nbBC 8 fn mysecretpassword
fn:$2y$08$eXPyw.TUynvtd5EB750tJeBATIhM2gmY0SggFcEeDBetC7cuCfbp2
  1. Start a local fn instance with a proxy in front of it that does the basic authentication via docker. Replace the hostname with your own! 
$ docker network create fn
$ docker run -d --rm \
  --name fn \
  --privileged \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --network fn \
  --label traefik.enable=true \
  --label traefik.port=8080 \
  --label traefik.frontend.rule=Host:MacBook-Pro-2.fritz.box \
  --label traefik.frontend.auth.basic.users=fn:\$2y\$08\$eXPyw.TUynvtd5EB750tJeBATIhM2gmY0SggFcEeDBetC7cuCfbp2 \
  fnproject/fnserver:0.3.707
$ docker run -d --rm \
  --name traefik \
  --volume /var/run/docker.sock:/var/run/docker.sock \
  --network fn \
  --publish 80:80 \
  --publish 8080:8080 \
  traefik:v1.7.12-alpine \
    --entryPoints='Name:http Address::80' \
    --defaultentrypoints='http' \
    --docker \
    --docker.domain=MacBook-Pro-2.fritz.box \
    --docker.exposedbydefault=false \
    --loglevel=INFO

Traefik is a cloud native reverse proxy / load-balancer. In this setup traefik searches docker for running containers and routes traffic based on labels it finds on the containers.

  1. Check that the fn api is up and requires basic authentication.
$ curl MacBook-Pro-2.fritz.box/v2/apps
401 Unauthorized
$ curl fn:[email protected]/v2/apps
{"items":[]}%
  1. Setup a context with the fn cli
$ fn create context --api-url "http://fn:[email protected]" auth
Successfully created context: auth
$ fn use ctx auth
Now using context: auth
$ fn list contexts
CURRENT	NAME	PROVIDER	API URL							REGISTRY
*	auth	default		http://fn:[email protected]
	default	default		http://localhost:8080
  1. Query something
$ fn list apps

Fn: &{ } (*modelsv2.Error) is not supported by the TextConsumer, can be resolved by supporting TextUnmarshaler interface

See 'fn <command> --help' for more information. Client version: 0.5.81

Unfortunately this error message is not really user friendly / understandable. But it is possible to use the traefik Total Status Code Count at http://localhost:8080/dashboard/status to see that the proxy responded with 401 Unauthorized. I also used a http debug proxy (charles) to verify that the a authorization header is missing on the requests to the backend.

Expected behaviour

  1. A better error message in cases where api calls do not succeed.
  2. If it is possible to setup an api url with basic auth credentials i expect them to be used for request. Or at least not be able the successfully configure a api url with credentials

jansauer avatar Jun 09 '19 12:06 jansauer

2 years later, I am facing this problem. Hopefully this will get supported soon.

Reason being I have multiple dashboards (traefik included), each using basic auth middleware. As such it is useful to get the 401 metrics.

WeiTangLau avatar Aug 30 '21 01:08 WeiTangLau