leihs icon indicating copy to clipboard operation
leihs copied to clipboard
verified publisher icon leihs

Support BasicAuth in ReverseProxy for Development Servers

Open DrTom opened this issue 1 year ago • 2 comments

✅ Disable Basic-Auth in My-Service ☑️ Setup Basic-Auth in Deploy with exceptions : Admin ...

DrTom avatar Apr 10 '24 06:04 DrTom

hi @DrTom We have an issue with the new basic auth in staging/test/etc.

Steps to reproduce (any browser)

  1. open https://staging.leihs.zhdk.ch
  2. enter login credentials in AAD
  3. --> short error popping up, but redirects anyway
  4. logged in in /admin
  5. remove /admin from URL
  6. --> basic auth prompt opens again

neoheat avatar Apr 22 '24 14:04 neoheat

This is an expected side effect of our current setup. It has to do with choices we made years ago and how browsers interact with websites. Details following.

The admin app/service accepts basic auth as an authentication method to supply an API token. You can only supply one Basic Auth Header. Therefore all routes under /admin are excluded from the "UI Basic Auth" enforced by the Reverse-Proxy.

Here is what happens:

  1. An user opens Leihs and (possibly via a number of links and redirects) will end up at some path which is protected by "Basic Auth".
  2. The server indicates requirement for Basic Auth and the browser acts on it with the Basic Auth dialog.
  3. The user supplies credentials and from here on the browser remembers those and will supply them with each following request.
  4. Everything seems to work as expected until the user hits some path within /admin. Note: every leihs admin will end up in /admin after sign-in succeeded.
  5. Since /admin accepts Basic Auth on its own it evaluates the supplied header. Since it doesn't contain a valid token the admin service must respond with a specific error response to the client. This is what you briefly can see on the screen. The browser then removes the Basic Auth information because it was indicated by the admin service as not valid and then reloads the page.
  6. Interaction with /admin works as expected from here.
  7. However if the users switches to some none /admin route the Basic Auth header is now missing, the Reverse Proxy reacts with an error request, the browser opens the Dialog and so on.

There is no real fix for this. Each solution has tradeoffs. We will have to discuss which compromises are best suited.

DrTom avatar May 07 '24 13:05 DrTom

https://github.com/leihs/leihs/issues/1754

DrTom avatar Jul 09 '24 06:07 DrTom