greenpau
breakfix: API Key Authorization Not Working - ERROR api key payload is malformed
Describe the issue
I am trying to use the API Key authorization method, but am running into the following error message:
2025/03/20 22:41:57.130 WARN security api key lookup failed {"source_address": "<REDACTED>", "custom_auth": "apikey", "realm": "local", "error": "api key payload is malformed"}
2025/03/20 22:41:57.130 ERROR http.handlers.authentication auth provider returned error {"provider": "authorizer", "error": "user authorization failed: src_ip=<REDACTED>, src_conn_ip=::1, reason: api key authentication via authproxy failed"}
I am passing the X-Api-Key header in the request. I am able to login correctly and create API keys using the web interface.
I spent some time going through the docs as well and numerous related issues, but I was unable to resolve the problem on my own. I believe I am setting up the Caddyfile correctly, but I could be wrong as I am inexperienced with Caddy and its config file in general.
Configuration
{
order authenticate before respond
order authorize before basicauth
security {
local identity store localdb {
realm local
path {$PWD}/users.json
}
authentication portal myportal {
enable identity store localdb
cookie domain my.domain.com
cookie lifetime 3600
}
authorization policy api_policy {
disable auth redirect
with api key auth portal myportal realm local
acl rule {
match role authp/user authp/admin
allow stop log info
}
}
}
}
:2019 {
route /auth* {
authenticate with myportal
}
route /test* {
authorize with api_policy
respond "API endpoint accessed successfully"
}
}
Version Information
Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:
http.authentication.hashes.bcrypt v2.9.1
http.authentication.providers.http_basic v2.9.1
http.handlers.authentication v2.9.1
tls.client_auth.verifier.leaf v2.9.1
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29
Expected behavior
The expected behavior is to register an API key for a user and be able to authorize use of protected endpoints by adding the X-Api-Key header to the request
Additional context
I am using an ngrok tunnel for my localhost.
After building the plugin and going through the code, it seems as the issue was caused by api key regex pattern, which was causing the generated api key to be 64 characters, which didn't meet the 72 character requirement for the api keys. I was able to resolve the issue, but I'm curious if you wanted me to make a pull request for the fix? Let me know if this is indeed a valid fix, and if you'd like I could submit the changes.
Thanks
@captainpryce , I am in the process of updating packages right now. Will fix as part of the upgrade.
@captainpryce , I think this is related issue https://github.com/greenpau/caddy-security/issues/224
Where is the "caused by api key regex pattern"?
Hey @greenpau sorry I never followed up on my previous post, after I properly went through everything, I realized the error stems from the client side api key generator. The linked issue is exactly what I stumbled across a little after while I was investigating, but as mentioned in that issue the UI isnโt included in this repository, only the minified js is. I wasnโt able to actually resolve the issue as a result. I appreciate you taking the time to fix this issue. Let me know if thereโs anything I can do to help.
Thanks
var apiKeyRegexPattern1 = regexp.MustCompile(^[A-Za-z0-9]{72,96}$)
@captainpryce , isn't the above the fix for what you were experiencing?
