search

CESNET / liberouter-gui

8 stars 4 forks source link

Getting logged out from Nemea Dashboard #8

Closed thorgrin closed 7 years ago

thorgrin commented 7 years ago

I'm testing the v0.3.2 release and whenever I go to the NEMEA-> NEMEA Dashboard I get logged out of the GUI. The following message is in the /var/log/httpd/ssl_error_log:

[Fri Aug 04 12:16:31.055829 2017] [wsgi:error] [pid 9602] [remote 10.0.2.2:42756] Caught error!
[Fri Aug 04 12:16:31.055895 2017] [wsgi:error] [pid 9602] [remote 10.0.2.2:42756] {'status_code': 401, 'error': True, 'message': 'Insufficient privileges.'}
petrstehlik commented 7 years ago

What are your privileges in the active account? Dashboard should be accessible for any logged in user. Can you also post on what endpoint it fails?

thorgrin commented 7 years ago

I'm using the default admin/admin account. It happens when I'm at https://localhost:8443/liberouter-gui/nemea and try to click on https://localhost:8443/liberouter-gui/nemea/dashboard

petrstehlik commented 7 years ago

The problem lies somewhere inside the backend where credentials are not passed. The front-end part surely appends the Authorization header which is required for it.

This is what actually happens, step by step:

  1. You go to the NEMEA Dashboard
  2. Configuration for the Dashboard is looked up in the user's setting.
  3. No record for NEMEA Dashboard is found.
  4. Default configuration is created and inserted to the user.
  5. The new configuration is updated on the server. <-- FAIL, not authorized

First I'd inspect if all headers are passed as they should be (namely Authorization). Then if the record in the mongodb is as it should be (role : 0).

I couldn't replicate the problem with my machine (development standalone server with proxying).

Hope it helps.

thorgrin commented 7 years ago

When I click anywhere else in the GUI, a GET request to libapi/authorization is issued. Every request to resources and libapi/authorization has Authorization header set properly. When I click on Nemea Dashboard, a PUT request to libapi/users/58172c575d47e20e452adcfb is issued instead which returns 401. The put request has the Authorization header filled in as well. So my question is, why is there a PUT request when everywhere else I see GET requests?

This is what I have in the database for the user:

> db.users.find()
{ "_id" : ObjectId("58172c575d47e20e452adcfb"), "first_name" : "", "username" : "admin", "settings" : null, "last_name" : null, "user_id" : null, "email" : null, "password" : BinData(0,"JDJiJDEyJExLd3NkY2R0UUdjdnNzalBMLmxKTC56a2RXQUtYU09aL1Y1R2JlVjk1QzVpWFVsdGdnUFJh"), "role" : 0 }
thorgrin commented 7 years ago

One more hint: Before the PUT request, there is a following message in JS console:

TypeError: this.user.user.settings is null

Hope it helps.

petrstehlik commented 7 years ago

Found the culprit. Will fix ASAP. The problem is in Auth decorator and the role it is set to in case of editing a user.

petrstehlik commented 7 years ago

Bug was caused by setting priviliges on the endpoint and therefore only admins could edit users. Now it checks only for valid session and in case of non-admin user it checks if they edit themselves.