GISportal
GISportal copied to clipboard
pmlrsg
User dashboard error 403 Forbidden
Hi
I've set up GISportal on an internal RHEL vm under supervsiord. It's accessible through a browser, however, no user dashboard is available. I feel I'm missing something really basic in the config steps.
I've added admin user emails for myself and another, however, when I track the http responses I see some errors.
There is a 404 Not Found on:
GET /app/cache/10.83.64.51:6789/vectorLayers.json HTTP/1.1
And a 403 Forbidden on:
GET /app/user/dashboard/?domain=10.83.64.51:6789 HTTP/1.1
Here's the full http response (minus the cookie details) on the latter:
GET /app/user/dashboard/?domain=10.83.64.51:6789 HTTP/1.1 Host: 10.83.64.51:6789 Accept: application/json, text/javascript, /; q=0.01 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Referer: http://10.83.64.51:6789/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 X-Requested-With: XMLHttpRequest
HTTP/1.1 403 Forbidden Connection: keep-alive Content-Length: 9 Content-Type: text/plain; charset=utf-8 Date: Wed, 21 Mar 2018 00:11:03 GMT ETag: W/"9-cilpV3qWyjlT6E49lJ3ugQ" X-Powered-By: Express
Is there a login screen? How is authentication handled?
Thanks for your help Ian
I should add my config-server.js contents (note the email addresses have been replaced with generics):
GLOBAL.config['10.83.64.51/:6789'] = { auth: { google: { scope : 'https://www.googleapis.com/auth/userinfo.email', clientid : 'CLIENT_ID', clientsecret : 'CLIENT_SECRET', callback : 'CALLBACK', prompt: 'select_account' } }, admins:['[email protected]','[email protected]'], logDir: 'logs', plottingDownloadDir:'/srv/GISportal/config/site-settings/10.83.64.51/:6789' EMAIL, cssFile:"GISportal" };
Hi Ian,
The first error, the 404 for vectorLayers.json, is expected if you have not defined any vector layers yet, so can safely be ignored. The second error, the 403 forbidden for /app/user/dashboard, is returned because you are not logged in, and it looks like you have not properly configured the authentication.
The authentication is handled by Google's OAuth service and you need to be registered with Google to obtain a client ID and client secret that needs to be added to config-server.js. There's information on how to obtain these at https://support.google.com/cloud/answer/6158849/?hl=en&authuser=0, then once you have the id and secret you can edit config-server.js to add these values, or perhaps an easier option would be to run ./install.sh in the root of the application and follow the steps there to recreate config-server.js.
Once you have added a valid client Id and client secret and restarted node you should have a user dashboard menu tab (indicated here by the arrow) and on this tab there will be a login with Google button.
Hope this helps, please let me know if you're still stuck. Cheers, Ben
Hi Ben,
Thanks for the prompt reply.
I've created a new project and added the client ID and client secret to config-server.js and rebooted the server. I'm still getting the 403 error and no user dashboard appears as a menu tab. These appear when the site first launches, before I click on "Load your previous map" or "Start building a map".
Unsure if this is related, but I get a subsequent http response from console.cloud.google.com that references the IP address
GET /m/operations?maxResults=100 HTTP/1.1 Host: console.cloud.google.com:443 Accept: image/webp,image/apng,image/,/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Referer: http://10.83.64.51:6789/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36
HTTP/1.1 200 alt-svc: hq=":443"; ma=2592000; quic=51303432; quic=51303431; quic=51303339; quic=51303335,quic=":443"; ma=2592000; v="42,41,39,35" cache-control: no-cache, no-store, max-age=0, must-revalidate content-disposition: attachment; filename="json.txt"; filename*=UTF-8''json.txt content-encoding: gzip content-security-policy: default-src 'none' content-type: application/json; charset=utf-8 date: Wed, 21 Mar 2018 21:49:54 GMT expires: Mon, 01 Jan 1990 00:00:00 GMT pragma: no-cache server: ESF set-cookie: SIDCC=AAiTGe9b7NEIwcqGSYsNoPGDYR5z4AenlvWrpsLNKBLbq4clzib4fzzrBPWruIs-PfxzA8Bazag; expires=Tue, 19-Jun-2018 21:49:54 GMT; path=/; domain=.google.com; priority=high status: 200 strict-transport-security: max-age=31536000 x-content-type-options: nosniff x-frame-options: DENY x-pan-versionid: inductive-oxide-201803181602-rc01 x-xss-protection: 1; mode=block
Thanks for your help Ian
Ian,
Looking again at your original post of config-server.js there is a stray / that I hadn't previously noticed in the first line when defining the GLOBAL.config key, so I have removed this and I have defined the callback URL in the revised version below for clarity. I've also removed a stray / and EMAIL, as well; these would not have had an effect on the availability of the dashboard but would have caused some odd behaviour.
GLOBAL.config['10.83.64.51:6789'] = {
auth: {
google: {
scope : 'https://www.googleapis.com/auth/userinfo.email',
clientid : '<REPLACE THIS WITH CLIENT ID>',
clientsecret : '<REPLACE THIS WITH CLIENT_SECRET>',
callback : 'http://10.83.64.51:6789/app/user/auth/google/callback',
prompt: 'select_account'
}
},
admins:['[email protected]','[email protected]'],
logDir: 'logs',
plottingDownloadDir:'/srv/GISportal/config/site-settings/10.83.64.51:6789',
cssFile:"GISportal"
};
The plottingDownloadDir directory that you have defined here is the same location where application configuration files are stored. You may want to consider changing this so that you can keep a back up of config files without having to separate any netCDF files that are downloaded and used temporarily to create plots.
Cheers, Ben
Hi Ben,
I made those changes and rebooted, however, there was still no access (error in HTTP headers was still 403 forbidden). So I re-ran ./install.sh, changed the domain name (from the IP address to the server hostname) and did get to the User Dashboard.
However, when clicking ‘Sign in with Google’ and selecting my gmail account (listed as admin) I get a blank message on this ridiculously long url:
http://emstpw00553.srv.sydney.edu.au:6789/app/user/auth/google/callback?code=4/AACnduAK-Uik-5rx1ymx5NTL0z766Np3sxrf27Pvx4z1icqzRfYvdIlEXyii4IeDL75u_JfWIaFkIYfjysp7_5o#
Here’s the config-server.js now:
GLOBAL.config['emstpw00553.srv.sydney.edu.au:6789'] = { auth: { google: { scope : 'https://www.googleapis.com/auth/userinfo.email', clientid : 'CLIENTID', clientsecret : 'SECRET', callback : 'http://emstpw00553.srv.sydney.edu.au:6789/app/user/auth/google/callback', prompt: 'select_account' } }, admins:['[email protected]'], logDir: 'logs', cssFile:"GISportal" };
Thanks for your help Ian
From: Ben Calton <[email protected]mailto:[email protected]> Reply-To: pmlrsg/GISportal <[email protected]mailto:[email protected]> Date: Thursday, 22 March 2018 8:43 pm To: pmlrsg/GISportal <[email protected]mailto:[email protected]> Cc: Ian Marang <[email protected]mailto:[email protected]>, Author <[email protected]mailto:[email protected]> Subject: Re: [pmlrsg/GISportal] User dashboard error 403 Forbidden (#51)
Ian,
Looking again at your original post of config-server.js there is a stray / that I hadn't previously noticed in the first line when defining the GLOBAL.config key, so I have removed this and I have defined the callback URL in the revised version below for clarity. I've also removed a stray / and EMAIL, as well; these would not have had an effect on the availability of the dashboard but would have caused some odd behaviour.
GLOBAL.config['10.83.64.51:6789'] = { auth: { google: { scope : 'https://www.googleapis.com/auth/userinfo.emailhttps://www.googleapis.com/auth/userinfo.email', clientid : '<REPLACE THIS WITH CLIENT ID>', clientsecret : '<REPLACE THIS WITH CLIENT_SECRET>', callback : 'http://10.83.64.51:6789/app/user/auth/google/callbackhttp://10.83.64.51:6789/app/user/auth/google/callback', prompt: 'select_account' } }, admins:['[email protected]mailto:'[email protected]','[email protected]mailto:'[email protected]'], logDir: 'logs', plottingDownloadDir:'/srv/GISportal/config/site-settings/10.83.64.51:6789', cssFile:"GISportal" };
The plottingDownloadDir directory that you have defined here is the same location where application configuration files are stored. You may want to consider changing this so that you can keep a back up of config files without having to separate any netCDF files that are downloaded and used temporarily to create plots.
Cheers, Ben
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/pmlrsg/GISportal/issues/51#issuecomment-375236198, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AQvi6AITTsFIlLMXiFS5O3pyjBPDRu2Bks5tg3JBgaJpZM4Sy2vT.
Ian,
The good news is that you have correctly configured the application as I have been able to use your configuration file in an instance running on my machine, with an edited hosts file, and I can login as expected. Unfortunately, the bad news is that there must be something in your hosting environment that is causing the problem, and this is not a straight forward task to identify. Could you start by posting any relevant sections of log file here.
In the meantime, you could try running the application using the Docker container that is available at https://hub.docker.com/r/pmlrsg/gisportal/ - there are instructions on how to download, install and run the container here.
Cheers, Ben
Ben,
That’s great news. Though obviously only leads to bigger problems.
This is the last connection attempt in the logs:
"2018-03-26T05:27:19.734Z","::ffff:10.17.79.54","/img/PML-MAP-2.png","","",0,"" "2018-03-26T05:27:19.754Z","::ffff:10.17.79.54","/all_templates.mst","","",0,"" "2018-03-26T05:27:19.758Z","::ffff:10.17.79.54","/img/PML_LOGO.png","","",0,"" "2018-03-26T05:27:19.946Z","::ffff:10.17.79.54","/app/settings/get_cache?_=1522042039941","","",0,"" "2018-03-26T05:27:19.947Z","::ffff:10.17.79.54","/app/cache/emstpw00553.srv.sydney.edu.au:6789/vectorLayers.json","","",0,"" "2018-03-26T05:27:20.000Z","::ffff:10.17.79.54","/app/user/dashboard/?domain=emstpw00553.srv.sydney.edu.au:6789","","",0,"" "2018-03-26T05:27:20.023Z","::ffff:10.17.79.54","/img/baselayer-none.jpg","","",0,"" "2018-03-26T05:27:20.024Z","::ffff:10.17.79.54","/img/baselayer-EOXs2cloudless.jpg","","",0,"" "2018-03-26T05:27:20.034Z","::ffff:10.17.79.54","/img/baselayer-GEBCO.jpg","","",0,"" "2018-03-26T05:27:20.035Z","::ffff:10.17.79.54","/img/baselayer-EOX.jpg","","",0,"" "2018-03-26T05:27:20.036Z","::ffff:10.17.79.54","/img/baselayer-BlueMarble.jpg","","",0,"" "2018-03-26T05:27:20.037Z","::ffff:10.17.79.54","/img/baselayer-BlackMarble.jpg","","",0,"" "2018-03-26T05:27:20.044Z","::ffff:10.17.79.54","/img/baselayer-OSM.jpg","","",0,"" "2018-03-26T05:27:20.128Z","::ffff:10.17.79.54","/app/user","","",0,"" "2018-03-26T05:27:20.504Z","::ffff:10.17.79.54","/app/settings/get_walkthroughs","","",0,"" "2018-03-26T05:27:20.506Z","::ffff:10.17.79.54","/img/sign-in-with-google.png","","",0,"" "2018-03-26T05:29:10.809Z","::ffff:10.17.79.54","/app/user/auth/google","","",0,"" "2018-03-26T05:29:14.478Z","::ffff:10.17.79.54","/app/user/auth/google/callback?code=4/AACH1QF1b8h0jDbLejzaX5Jze4pB180_AjqmPd26ngNx2EL8bhrO-sW2oHeflJn5Y2gq7Bmrdw7C1zI1h-fOcrE","","",0,"" "2018-03-26T05:36:39.119Z","::ffff:10.17.79.54","/app/user/auth/google","","",0,"" "2018-03-26T05:36:42.260Z","::ffff:10.17.79.54","/app/user/auth/google/callback?code=4/AADKi08UqAGlR41a71DBE3ZY4NtADku6-s2F5jdd46LLMF65GDK0RXteyM8Qyc9Ri58HlhUx6Z-ADxfsbQHfiXE","","",0,""
I can’t make heads or tails of it, but I can transcribe the http headers if required. The box is RHEL 6.9 and there isn’t a community edition of docker available so I can’t use the docker container you’ve provided (though I am a neophyte on docker so happy to be corrected). I’ll talk with my hosting guys to see if they can pinpoint the issue as the firewall is extremely restrictive on these machine.
Thanks Ian
From: Ben Calton <[email protected]mailto:[email protected]> Reply-To: pmlrsg/GISportal <[email protected]mailto:[email protected]> Date: Monday, 26 March 2018 9:54 pm To: pmlrsg/GISportal <[email protected]mailto:[email protected]> Cc: Ian Marang <[email protected]mailto:[email protected]>, Author <[email protected]mailto:[email protected]> Subject: Re: [pmlrsg/GISportal] User dashboard error 403 Forbidden (#51)
Ian,
The good news is that you have correctly configured the application as I have been able to use your configuration file in an instance running on my machine, with an edited hosts file, and I can login as expected. Unfortunately, the bad news is that there must be something in your hosting environment that is causing the problem, and this is not a straight forward task to identify. Could you start by posting any relevant sections of log file here.
In the meantime, you could try running the application using the Docker container that is available at https://hub.docker.com/r/pmlrsg/gisportal/https://hub.docker.com/r/pmlrsg/gisportal/ - there are instructions on how to download, install and run the container here.
Cheers, Ben
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/pmlrsg/GISportal/issues/51#issuecomment-376126247, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AQvi6F23ALZuj1Rrx66JsRVQs_OaiQyQks5tiMjigaJpZM4Sy2vT.
Ian,
There's nothing untoward in this log file. Would you be able to post any relevant sections of the supervisord logs as well please?
Cheers, Ben