ICal Authentication : 401 / unauthorized

[Bbillyben]

Hi there!

I've setup an beta prod env. with user authentication activated in config.yaml. My oncall app is behind a reverse proxy, everything seems working fined (even with my mods).

I'm trying to reach ical from thunderbird app after having generated ical key in user conf. TB ask me for user credential, but I always land on a 401 error : 192.168.1.7 - - [25/Apr/2022:21:53:59 +0200] "GET /api/v0/ical/e11ed94a-ac2b-4bd9-b22f-fa52bfdbab56 HTTP/1.1" 401 63 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0"

Of course, with authentication turned off, everything is reachable.

I'm learning python with that project, and I do not know where to start to debug it.

It do not even reach public_ical.py, and i do not know where falcon intercept the request.

Any help would be greatly appreciated!

[Bbillyben]

So i've manage to track the path of the request :

It's firstly being handled in /app.py > AuthMiddleware > process_resource

as there is no credential it goes to auth/__init__.py > _authenticate_user but the request do not contain any user information here so it fail.

I've added allow_no_auth = True in api/v0/public_ical.py so no authorization is required to access the resource, but I feel quite incomfortable to let it full open (with the calendar key).

Is there anywhere to dig to get a full authentication system to access ical by api call?

[roock]

@Bbillyben I'm currently facing the same issues. I think the intended way to expose the public ical calendar is through iris-relay (see https://github.com/linkedin/iris-relay/blob/aeeccf101d8b660b8889926127156eda83e23e7a/src/iris_relay/app.py#L1015).

Nevertheless I think from a security perspective it would be okay to add the allow_no_auth = True to api/v0/public_ical.py as you need a valid ical token to get a response from the endpoint. If no valid ical token is provided, it will return HTTPNotFound