When calling /data-access-api/auth, use POST, not GET

[nutjob4life]

Robert Solorio says /data-access-api/auth cannot be sent GET requests, even though the credential is base64-encoded.

Instead, it can only be sent POST requests, where the credential is plainly visible.

Because "reasons" 🤔

To make this clearer, credentials must be in a urlform-encoded HTTP payload with username and password parameters and cannot be in the HTTP header.

[nutjob4life]

@yuliujpl the server-side for this is live on labcas-dev.jpl.nasa.gov right now and ready for you to test with an update to the UI 😁

[yuliujpl]

@nutjob4life Fyi same as my email:

I actually didn't need to change from request header to form-encoded for it to work! .ajax({ url: localStorage.getItem('environment')+"/data-access-api/auth", beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Basic " + btoa($('#username').val() + ":" + $('#password').val())); }, type: 'POST', success: function (data) { Cookies.set("logout_alert","Off"); Cookies.set("token", data); Cookies.set("JasonWebToken", data);

However, the next part of my code did fail: $.ajax({ url: localStorage.getItem('environment')+"/data-access-api/userdata/read?id="+Cookies.get('user'), beforeSend: function(xhr) { xhr.setRequestHeader("Authorization", "Bearer " + Cookies.get('token')); }, type: 'GET', dataType: 'json', success: function (data) {

I think this is because it's the userdata endpoint in labcas_backend that might also need POST functionality? Failed to load resource: the server responded with a status of 405 ()

[nutjob4life]

Hi David:

FYI, in GitHub, you can use

    ```javascript
    .ajax({ …
        …
    );

format your code nicely and avoid having an error message appear "You can't use 'macro parameter #' in math mode. (The triple-back-ticks indicate a code block and the optional `javascript` tells what language of code block to make.)

Anyway, I'm afraid Robert Solorio isn't going to accept the POST with a "Basic" header, even if it works. He specifically called out that the _username and password cannot be in an HTTP header_. It must be in the HTTP payload. Can you rewrite it to use POST with a urlform-encoded payload with `username` and `password` parameters?

Now, to me, this seems _even worse_, because in the payload the username and password are readily readable! But that's what he wants 🤷  Go figure! 😝 

As for the userdata endpoint, I'm not sure what's going on there. Right now it's implemented as:
```java
    @Override
    @GET
    @Path("/read")
    public Response read(@Context HttpServletRequest httpRequest,
            @Context ContainerRequestContext requestContext,
            @QueryParam("id") String id) {

        LOG.info("Requesting document for id="+id);
                …

and the @GET annotation says it should take a GET HTTP verb.

Unfortunately I'm out of time today so I'll look at it tomorrow, 6-28.

Thanks for your help thus far!

[yuliujpl]

Unfortunately, it seems like when I do urlencoded with form param, it returns 403 error!

[cid:38567fb7-da32-49c5-9e43-01c6dac6c432]

$.ajax({
            url: localStorage.getItem('environment')+"/data-access-api/auth",
                type: 'POST',
                contentType: 'application/x-www-form-urlencoded',
                data: $.param({
                    username: $('#username').val(),
                    password: $('#password').val()
                }),
                success: function (data) {

---

From: Sean Kelly @.> Sent: Thursday, June 27, 2024 5:19 PM To: EDRN/labcas-ui @.> Cc: Liu, David (US 3902-Affiliate) @.>; Mention @.> Subject: [EXTERNAL] Re: [EDRN/labcas-ui] When calling /data-access-api/auth, use POST, not GET (Issue #207)

Hi David:

FYI, in GitHub, you can use

```javascript
.ajax({ …
    …
);
```

format your code nicely and avoid having an error message appear "You can't use 'macro parameter #' in math mode. (The triple-back-ticks indicate a code block and the optional javascript tells what language of code block to make.)

Anyway, I'm afraid Robert Solorio isn't going to accept the POST with a "Basic" header, even if it works. He specifically called out that the username and password cannot be in an HTTP header. It must be in the HTTP payload. Can you rewrite it to use POST with a urlform-encoded payload with username and password parameters?

Now, to me, this seems even worse, because in the payload the username and password are readily readable! But that's what he wants 🤷 Go figure! 😝

As for the userdata endpoint, I'm not sure what's going on there. Right now it's implemented as:

    @Override
    @GET
    @Path("/read")
    public Response ***@***.*** HttpServletRequest httpRequest,
                    @Context ContainerRequestContext requestContext,
                    @QueryParam("id") String id) {

            LOG.info("Requesting document for id="+id);
            …

and the @GET annotation says it should take a GET HTTP verb.

Unfortunately I'm out of time today so I'll look at it tomorrow, 6-28.

Thanks for your help thus far!

— Reply to this email directly, view it on GitHubhttps://urldefense.us/v3/__https://github.com/EDRN/labcas-ui/issues/207*issuecomment-2195866421__;Iw!!PvBDto6Hs4WbVuu7!Ndd3z6kxp7ogx48Df4YKvOVo-HC_syhzoOyYxi4l8nV4XzA4MoWoHnovWVsvD4cJ6owXSaLrGp1ioToVfrElsZejJw7rpA$, or unsubscribehttps://urldefense.us/v3/__https://github.com/notifications/unsubscribe-auth/ADXFXXFTR5NW2CRCOYD43UTZJSTYLAVCNFSM6AAAAABJI7DGSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOJVHA3DMNBSGE__;!!PvBDto6Hs4WbVuu7!Ndd3z6kxp7ogx48Df4YKvOVo-HC_syhzoOyYxi4l8nV4XzA4MoWoHnovWVsvD4cJ6owXSaLrGp1ioToVfrElsZdptnaKKw$. You are receiving this because you were mentioned.Message ID: @.***>

[nutjob4life]

@yuliujpl are you sure you're using labcas-dev and not edrn-labcas?

This works for me:

$ date -u
Fri Jun 28 13:02:40 UTC 2024
$ curl --silent --request POST --data 'username=kelly' --data 'password=REDACTED' https://labcas-dev.jpl.nasa.gov/data-access-api/auth > /tmp/jwt
$ curl --silent --request GET --header "Authorization: Bearer $(cat /tmp/jwt)" 'https://labcas-dev.jpl.nasa.gov/data-access-api/userdata/read?id=kelly' | json_pp
{
   "response" : {
      "docs" : [],
      "numFound" : 0,
      "start" : 0
   },
   "responseHeader" : {
      "QTime" : 0,
      "params" : {
         "q" : "id:kelly",
         "wt" : "json"
      },
      "status" : 0
   }
}
$ echo 🤷
🤷

(By the way, the triple-backtick notation only works when using github.com, not in an email reply—sorry!)

[yuliujpl]

Yup, it's definitely pointing at labcas-dev! Is there any content at /tmp/jwt?

I tried a couple variations even removing params but keeping the urlencoded and still to no avail.

Are there by chance any logs in labcas-backend that might explain the 403 error? I just submitted a request. Let me try experimenting a few more times!

[nutjob4life]

Hi David, yes, /tmp/jwt contains the following:

eyJ0e…iJ9.eyJhdWQi…AxNTM1fQ.nybYI…rbJz6Ac

As you can see, it's the output from the first curl command, and consists of three parts separated by dots (I've omitted most of it with … for readability and security).

Looking at the logs in /usr/local/labcas/backend/home/apache-tomcat/logs/catalina.2024-06-28.log on labcas-dev, I see two entries like:

28-Jun-2024 12:00:50.797 INFO [https-jsse-nio-8444-exec-10] gov.nasa.jpl.labcas.data_access_api.filter.AuthenticationFilter.filter 👉 Possible POST username «dliu»
28-Jun-2024 12:00:51.042 INFO [https-jsse-nio-8444-exec-10] gov.nasa.jpl.labcas.data_access_api.filter.UserServiceLdapImpl.getValidUser User: dliu authentication failed

The backend in this case should be producing a 403.

Is your EDRN password working? See if you can log into https://bmdb.jpl.nasa.gov/ or https://edrn.nci.nih.gov/_util/login/?next=/

Or, test your EDRN password while logged into labcas-dev, try:

$ ldapsearch -W -x -D uid=dliu,dc=edrn,dc=jpl,dc=nasa,dc=gov -H ldaps://edrn-ds.jpl.nasa.gov -b dc=edrn,dc=jpl,dc=nasa,dc=gov -s one '(uid=dliu)'

when prompted, enter your EDRN password.

[nutjob4life]

Are there by chance any logs in labcas-backend that might explain the 403 error

Maybe your EDRN password for dliu is wrong? 🤔

I tried my curl command with an incorrect password and I get 403. A correct password gives 200 and a JWT.

[yuliujpl]

Omg, I was using nist password (hand smack face), so sorry!

[nutjob4life]

Omg, I was using nist password (hand smack face), so sorry!

No worries! We have too many LabCASes and too many accounts!

[yuliujpl]

So with token, I can continue to use GET? It was only the login I need to use POST?

[nutjob4life]

So with token, I can continue to use GET? It was only the login I need to use POST?

Right, POST only for /data-access-api/auth, GET for the rest.

[yuliujpl]

Labcas-ui tested and ready to push to prod.

---

From: Sean Kelly @.> Sent: Saturday, June 29, 2024 7:34 AM To: EDRN/labcas-ui @.> Cc: Liu, David (US 3902-Affiliate) @.>; Assign @.> Subject: [EXTERNAL] Re: [EDRN/labcas-ui] When calling /data-access-api/auth, use POST, not GET (Issue #207)

Assigned #207https://urldefense.us/v3/__https://github.com/EDRN/labcas-ui/issues/207__;!!PvBDto6Hs4WbVuu7!L6VTAxvOcF5Z9dDe5AEoqoPcCW2aiu8wrVBT6oqjeH2kfv52p41y7Ii30ZwXvk726J6EYMvdNDn911ehq6nVtqu0V94_rw$ to @yuliujplhttps://urldefense.us/v3/__https://github.com/yuliujpl__;!!PvBDto6Hs4WbVuu7!L6VTAxvOcF5Z9dDe5AEoqoPcCW2aiu8wrVBT6oqjeH2kfv52p41y7Ii30ZwXvk726J6EYMvdNDn911ehq6nVtqtou4Y-0g$.

— Reply to this email directly, view it on GitHubhttps://urldefense.us/v3/__https://github.com/EDRN/labcas-ui/issues/207*event-13339642418__;Iw!!PvBDto6Hs4WbVuu7!L6VTAxvOcF5Z9dDe5AEoqoPcCW2aiu8wrVBT6oqjeH2kfv52p41y7Ii30ZwXvk726J6EYMvdNDn911ehq6nVtqvvYQgC3Q$, or unsubscribehttps://urldefense.us/v3/__https://github.com/notifications/unsubscribe-auth/ADXFXXAYGQEXEEJJMYLUQ7TZJ3AWPAVCNFSM6AAAAABJI7DGSKVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJTGMZTSNRUGI2DCOA__;!!PvBDto6Hs4WbVuu7!L6VTAxvOcF5Z9dDe5AEoqoPcCW2aiu8wrVBT6oqjeH2kfv52p41y7Ii30ZwXvk726J6EYMvdNDn911ehq6nVtqu5kaAIvw$. You are receiving this because you were assigned.Message ID: @.***>

[nutjob4life]

@yuliujpl fantastic!

@hoodriverheather could you test labcas-dev and make sure everything works? We made a fairly significant set of changes to both the UI and the backend. If it checks out, then we can make this live on edrn-labcas, mcl-labcas, and ddsa-labcas.

[hoodriverheather]

@nutjob4life What exactly should be testing or watching out for here?

[nutjob4life]

@hoodriverheather make sure you can log in, see the data you expect, download files, open image viewers, search for data, log out, log in as another user, repeat these actions; also try logging in with invalid usernames and/or passwords and make sure you're not allowed in.

[hoodriverheather]

@yuliujpl @nutjob4life Let me know when this is ready to test.

[nutjob4life]

Blocked by #211

[hoodriverheather]

@yuliujpl I can't seem to favorite a collection or a dataset. Files have some favorited files, i can't unfavorite them. Prod seems to be working as expected.

[hoodriverheather]

@yuliujpl Not sure the favorites should block closing this issue. Can you take a quick look so we can close this out and push to Prod?

[nutjob4life]

Hi folks, I agree: favorites are nice but not pivotal, especially if NASA SecOps is threatening to shut us down! Let's get #211 fixed, then close out #207, and we can look at favorites as a separate issue later.

[hoodriverheather]

@nutjob4life @yuliujpl Opened issue #213 to document Favorites issue. Closing this issue.

[nutjob4life]

Okay, so #211 and #207 are closed now

When's a good time to put this onto edrn-labcas, mcl-labcas, and NIST LabCAS?

[hoodriverheather]

Good question! How long will this take? Maybe Friday? For NIST, should we test this change in NIST Dev first?

[nutjob4life]

@hoodriverheather I can update a LabCAS backend in 5 minutes, 10 tops, on edrn-labcas and mcl-labcas.

(We may be able to skip this for NIST LabCAS; the SecOps officers only called out edrn-labcas and mcl-labcas.)

[hoodriverheather]

@nutjob4life I think it's fine to update today if you want. I'm betting a lot of people are on vacation. :) Would it be a good idea to make these updates to the NIST Dev now too so we can test and deploy during our next update?

[hoodriverheather]

Oh, I see. Do you want to add that back?

From: Sean Kelly @.> Date: Wednesday, July 3, 2024 at 9:49 AM To: EDRN/labcas-ui @.> Cc: Kincaid, Heather L (US 398G-Affiliate) @.>, Mention @.> Subject: [EXTERNAL] Re: [EDRN/labcas-ui] When calling /data-access-api/auth, use POST, not GET (Issue #207)

@hoodriverheatherhttps://urldefense.us/v3/__https:/github.com/hoodriverheather__;!!PvBDto6Hs4WbVuu7!MGtwPgz0SEHZm6xj4tr0JNrB2sfl3cNbFEV4q-Acv0fK1UfJIxJQLYGMYK7T2YrZOb4ztRBBOSiaxCMk8CZDfNQbhJNEuVL3Lw$ technically this issue is still blocked by #211https://urldefense.us/v3/__https:/github.com/EDRN/labcas-ui/issues/211__;!!PvBDto6Hs4WbVuu7!MGtwPgz0SEHZm6xj4tr0JNrB2sfl3cNbFEV4q-Acv0fK1UfJIxJQLYGMYK7T2YrZOb4ztRBBOSiaxCMk8CZDfNQbhJMuPvE9Uw$ 😉

— Reply to this email directly, view it on GitHubhttps://urldefense.us/v3/__https:/github.com/EDRN/labcas-ui/issues/207*issuecomment-2206784904__;Iw!!PvBDto6Hs4WbVuu7!MGtwPgz0SEHZm6xj4tr0JNrB2sfl3cNbFEV4q-Acv0fK1UfJIxJQLYGMYK7T2YrZOb4ztRBBOSiaxCMk8CZDfNQbhJPixdokeg$, or unsubscribehttps://urldefense.us/v3/__https:/github.com/notifications/unsubscribe-auth/AN6QVC7X3OFHDI6MCX6LH5LZKQTRVAVCNFSM6AAAAABJI7DGSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBWG44DIOJQGQ__;!!PvBDto6Hs4WbVuu7!MGtwPgz0SEHZm6xj4tr0JNrB2sfl3cNbFEV4q-Acv0fK1UfJIxJQLYGMYK7T2YrZOb4ztRBBOSiaxCMk8CZDfNQbhJPjpvsn4g$. You are receiving this because you were mentioned.Message ID: @.***>

[nutjob4life]

Oh, I see. Do you want to add that back?

No, no need—both are closed—and I deleted that comment

[hoodriverheather]

Kk!

From: Sean Kelly @.> Date: Wednesday, July 3, 2024 at 10:19 AM To: EDRN/labcas-ui @.> Cc: Kincaid, Heather L (US 398G-Affiliate) @.>, Mention @.> Subject: [EXTERNAL] Re: [EDRN/labcas-ui] When calling /data-access-api/auth, use POST, not GET (Issue #207)

Oh, I see. Do you want to add that back?

No, no need—both are closed—and I deleted that comment

— Reply to this email directly, view it on GitHubhttps://urldefense.us/v3/__https:/github.com/EDRN/labcas-ui/issues/207*issuecomment-2206844406__;Iw!!PvBDto6Hs4WbVuu7!KBrkhvQLecZPVaDvJsTDKIbQV_rsWRvkB1Wg5t-PARoCaQ7UJiuWeI8zvDv58dukSAIdVPugY43HQtyVPApVGozEzrPxxO8NLQ$, or unsubscribehttps://urldefense.us/v3/__https:/github.com/notifications/unsubscribe-auth/AN6QVC53JS2NJW26DA7JHKTZKQXBLAVCNFSM6AAAAABJI7DGSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBWHA2DINBQGY__;!!PvBDto6Hs4WbVuu7!KBrkhvQLecZPVaDvJsTDKIbQV_rsWRvkB1Wg5t-PARoCaQ7UJiuWeI8zvDv58dukSAIdVPugY43HQtyVPApVGozEzrM2OR297g$. You are receiving this because you were mentioned.Message ID: @.***>

[yuliujpl]

The code is the same for favorite (using get), I couldnt quickly figure out why it's not working other than those accounts were never instantiated with a favorites profile in the dev backend. This will take more time digging because the favorites part of the code has not changed!

---

From: hoodriverheather @.> Sent: Wednesday, July 3, 2024 9:20 AM To: EDRN/labcas-ui @.> Cc: Liu, David (US 3902-Affiliate) @.>; Mention @.> Subject: [EXTERNAL] Re: [EDRN/labcas-ui] When calling /data-access-api/auth, use POST, not GET (Issue #207)

@yuliujplhttps://urldefense.us/v3/__https://github.com/yuliujpl__;!!PvBDto6Hs4WbVuu7!NV6WG_Z0jKTPdWErzU9VkLkGQL6QjTHhfg9hlf1w4XRAAcG32PtHASwUqzK-W2-dHco-WRwHRnUjLa94uBtkS3TI8GvWtg$ Not sure the favorites should block closing this issue. Can you take a quick look so we can close this out and push to Prod?

— Reply to this email directly, view it on GitHubhttps://urldefense.us/v3/__https://github.com/EDRN/labcas-ui/issues/207*issuecomment-2206737932__;Iw!!PvBDto6Hs4WbVuu7!NV6WG_Z0jKTPdWErzU9VkLkGQL6QjTHhfg9hlf1w4XRAAcG32PtHASwUqzK-W2-dHco-WRwHRnUjLa94uBtkS3RlWZzmBw$, or unsubscribehttps://urldefense.us/v3/__https://github.com/notifications/unsubscribe-auth/ADXFXXELS6T5GIW4IHHC46LZKQQELAVCNFSM6AAAAABJI7DGSKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBWG4ZTOOJTGI__;!!PvBDto6Hs4WbVuu7!NV6WG_Z0jKTPdWErzU9VkLkGQL6QjTHhfg9hlf1w4XRAAcG32PtHASwUqzK-W2-dHco-WRwHRnUjLa94uBtkS3RsQqQxKg$. You are receiving this because you were mentioned.Message ID: @.***>

[hoodriverheather]

@yuliujpl thanks for checking. we can put this as a lower priority.