site icon indicating copy to clipboard operation
site copied to clipboard

Published 20 hours ago verified publisher icon juxt

401 Unauthorized when trying to get admin token

Open admarrs opened this issue 3 years ago • 8 comments

Following the Test drive I get the following when trying to get-token for the admin user

site > bin/site get-token -u admin
site: Unix pass prefix: site/local/
site: Get token from http://localhost:2021/_site/token
site: Server response: 401 Unauthorized

site: Are your credentials valid? request-id is http://localhost:2021/_site/requests/50ba7d0fad679394de1aff2c

Looking at the log output it looks like the username being passed to juxt.pass.alpha.authentication/lookup-user is nil

17:16:43.457 [qtp1821409160-23] DEBUG juxt.site.alpha.handler - Resource provider: :juxt.site.alpha.handler/db
17:16:43.461 [qtp1821409160-23] ERROR juxt.pass.alpha.authentication - #error {
 :cause nil
 :via
 [{:type java.lang.NullPointerException
   :message nil
   :at [java.util.regex.Matcher getTextLength Matcher.java 1770]}]
 :trace
 [[java.util.regex.Matcher getTextLength Matcher.java 1770]
  [java.util.regex.Matcher reset Matcher.java 416]
  [java.util.regex.Matcher <init> Matcher.java 253]
  [java.util.regex.Pattern matcher Pattern.java 1133]
  [clojure.core$re_matcher invokeStatic core.clj 4856]
  [clojure.core$re_matches invokeStatic core.clj 4886]
  [clojure.core$re_matches invoke core.clj 4886]
  [juxt.pass.alpha.authentication$lookup_user invokeStatic authentication.clj 105]
  [juxt.pass.alpha.authentication$lookup_user invoke authentication.clj 101]
  [juxt.pass.alpha.authentication$authenticate invokeStatic authentication.clj 263]
  [juxt.pass.alpha.authentication$authenticate invoke authentication.clj 227]
  [juxt.site.alpha.handler$wrap_authenticate$fn__16783 invoke handler.clj 800]
  [juxt.site.alpha.handler$wrap_negotiate_representation$fn__16778 invoke handler.clj 792]
  [juxt.site.alpha.handler$wrap_find_current_representations$fn__16773 invoke handler.clj 787]
  [juxt.site.alpha.handler$wrap_redirect$fn__16767 invoke handler.clj 773]
  [juxt.site.alpha.handler$wrap_locate_resource$fn__16762 invoke handler.clj 760]
  [juxt.site.alpha.handler$wrap_method_not_implemented_QMARK_$fn__16758 invoke handler.clj 754]
  [juxt.site.alpha.handler$wrap_error_handling$fn__16923 invoke handler.clj 1240]
  [juxt.site.alpha.handler$wrap_security_headers$fn__16828 invoke handler.clj 920]
  [juxt.site.alpha.handler$wrap_cors_headers$fn__16874 invoke handler.clj 1029]
  [juxt.site.alpha.handler$wrap_store_request_in_request_cache$fn__16965 invoke handler.clj 1380]
  [juxt.site.alpha.handler$wrap_store_request$fn__16969 invoke handler.clj 1387]
  [juxt.site.alpha.handler$wrap_log_request$fn__16975 invoke handler.clj 1405]
  [juxt.site.alpha.handler$wrap_service_unavailable_QMARK_$fn__16983 invoke handler.clj 1428]
  [juxt.site.alpha.handler$wrap_initialize_request$fn__16951 invoke handler.clj 1342]
  [juxt.site.alpha.handler$wrap_healthcheck$fn__16979 invoke handler.clj 1412]
  [juxt.site.alpha.handler$wrap_ring_1_adapter$fn__16959 invoke handler.clj 1369]
  [ring.adapter.jetty$proxy_handler$fn__8527 invoke jetty.clj 27]
  [ring.adapter.jetty.proxy$org.eclipse.jetty.server.handler.AbstractHandler$ff19274a handle nil -1]
  [org.eclipse.jetty.server.handler.HandlerWrapper handle HandlerWrapper.java 127]
  [org.eclipse.jetty.server.Server handle Server.java 516]
  [org.eclipse.jetty.server.HttpChannel lambda$handle$1 HttpChannel.java 388]
  [org.eclipse.jetty.server.HttpChannel dispatch HttpChannel.java 633]
  [org.eclipse.jetty.server.HttpChannel handle HttpChannel.java 380]
  [org.eclipse.jetty.server.HttpConnection onFillable HttpConnection.java 273]
  [org.eclipse.jetty.io.AbstractConnection$ReadCallback succeeded AbstractConnection.java 311]
  [org.eclipse.jetty.io.FillInterest fillable FillInterest.java 105]
  [org.eclipse.jetty.io.ChannelEndPoint$1 run ChannelEndPoint.java 104]
  [org.eclipse.jetty.util.thread.QueuedThreadPool runJob QueuedThreadPool.java 773]
  [org.eclipse.jetty.util.thread.QueuedThreadPool$Runner run QueuedThreadPool.java 905]
  [java.lang.Thread run Thread.java 834]]}
17:16:43.461 [qtp1821409160-23] DEBUG crux.query - :query {:find [rule], :where [[rule :juxt.site.alpha/type "Rule"]], :in []}

admarrs avatar Oct 08 '21 16:10 admarrs

After further investigation, the regex used to extract the username & password from the decoded token doesn't like symbols in the password.

So I'd suggest an update to the Test drive to add the -n flag to pass generate to exclude symbols from the password:

pass generate -n site/local/admin

With that change the Test drive worked as described.

admarrs avatar Oct 09 '21 13:10 admarrs

Thanks for this - I've made the change you suggested to the documentation.

malcolmsparks avatar Oct 10 '21 11:10 malcolmsparks

I'm still puzzled as to why this occurred. If you have a moment, could you paste me a bit more detail, or a password that causes the issue?

malcolmsparks avatar Oct 10 '21 11:10 malcolmsparks

The generated password that caused the problem was <d"DWP+"g/egZyR:`rYQ#QiXv

From the repl

site > clj
Clojure 1.10.1
user=> (re-matches #"([^:]*):([^:]*)" 'admin:<d"DWP+"g/egZyR:`rYQ#QiXv')
Syntax error reading source at (REPL:2:55).
Invalid token: g/egZyR:
user/rYQ#QiXv'
Syntax error reading source at (REPL:2:66).
Unmatched delimiter: )
user=>

admarrs avatar Oct 10 '21 15:10 admarrs

Thanks very much for sending this in, it's really helpful and I was able to spot the bug straight-away. The regex is wrong, it should almost certainly be ([^:]*):(.*) to allow passwords to have colons. If you don't mind, I'll re-open this issue in lieu of fixing this (and testing).

Note, when fixing this bug, remove the -n flag to the pass generate flag, as it won't be necessary.

malcolmsparks avatar Oct 10 '21 16:10 malcolmsparks

Hi , i done all steps but i get this error; Not Found Error Unauthorized Error

burakakca avatar Feb 09 '22 09:02 burakakca

Hi , i done all steps but i get this error;

Not Found Error

Unauthorized Error

Hi, we're currently rewriting all the authn/authz parts of site so this is problem won't exist in a few weeks when that gets merged but for now you can do one of the following things to solve this:

  • Put a rule into site that allows access to any resource (this effectively removes all auth so don't do this if you have anything to hide!) The rule looks like this(sorry for formatting, on my phone) {:xt/id "{{base-uri}}/_site/rules/make-public", :juxt.site.alpha/description "for testing" :juxt.site.alpha/type "Rule" :juxt.pass.alpha/effect :juxt.pass.alpha/allow :juxt.pass.alpha/target []}
  • install the login page module, or make something that follows the same pattern. See opt/login-page readme for the details on that. Once you install it you should get redirected to the login page where you enter the credentials you set up when installing site.

Hopefully that helps

armincerf avatar Feb 10 '22 21:02 armincerf

I tried but does not change . Also can't find the opt/login-page.

burakakca avatar Feb 17 '22 12:02 burakakca