search

adsabs / adsws

ADS web services
Other
2 stars 15 forks source link

401 Unauthorized for random requests #103

Open romanchyla opened 8 years ago

romanchyla commented 8 years ago

The following request never made it to the /vis-service

curl 'https://api.adsabs.harvard.edu/v1/vis/paper-network' -H 'Pragma: no-cache' -H 'Origin: https://ui.adsabs.harvard.edu' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.8,it;q=0.6' -H 'Authorization: Bearer:2LuqvewG2v2auMHdsCenaBBQdsQ8hOexvdGmrvyK' -H 'Content-Type: application/json' -H 'Accept: application/json, text/javascript, ​*/*​; q=0.01' -H 'Cache-Control: no-cache' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36' -H 'Connection: keep-alive' -H 'Referer: https://ui.adsabs.harvard.edu/' --data-binary '{"query":["{\"fq\":[\"{!type=aqp v=$fq_database}\",\"{!type=aqp v=$fq_property}\"],\"fq_database\":[\"(database:\\\"astronomy\\\")\"],\"fq_property\":[\"(property:\\\"refereed\\\")\"],\"q\":[\"(bibgroup:cfa AND year:2016-2016)\"],\"sort\":[\"date desc, bibcode desc\"],\"rows\":[400]}"]}' --compressed

NOTE: It is a temporary token (already gone)

When I checked the database, the token was still there; it had proper _scopes, but still the requests never made it past ADSWS. As if the record could not be retrieved.

I'm expecting a bad timestamp either in redis or with a database. A problem that I can already see is that all timestamps are stored in a local time zone [or actually, without a timezone information]

romanchyla commented 8 years ago

and i am right, I tried changing 'expires' date from 22:36 to 18:36 (machine now says it is 18:46 UTC)

when I make the change, get 401 immediately

< Vary: Origin
< X-RateLimit-Limit: 5000
< X-RateLimit-Remaining: 4996
< X-RateLimit-Reset: 1470268800
< Content-Length: 164
< Connection: keep-alive

versus 

< HTTP/1.1 401 UNAUTHORIZED
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Orcid-Authorization, X-BB-Api-Client-Version, X-CSRFToken
< Access-Control-Allow-Methods: DELETE, GET, OPTIONS, POST, PUT
< Access-Control-Allow-Origin: http://localhost:8000, http://ui.adsabs.harvard.edu, https://demo-bumblebee.us-east-1.elasticbeanstalk.com, https://demo.adsabs.harvard.edu, https://ui.adsabs.harvard.edu
< Content-Type: application/json
< Date: Wed, 03 Aug 2016 18:47:12 GMT
* Server nginx/1.8.0 is not blacklisted
< Server: nginx/1.8.0
< Set-Cookie: session=eyJfaWQiOnsiIGIiOiJaREpqWTJWalpEUmlPV1kxT1RsbE5tTXpZemc0TnpjNVpXUXlOak00T1dJPSJ9LCJfcGVybWFuZW50Ijp0cnVlfQ.CoPNsA.fjJ-I2JlnXDF7jCktxDzEnWm8bQ; Expires=Sat, 03-Sep-2016 18:47:12 GMT; HttpOnly; Path=/
< Vary: Origin
< Content-Length: 29
< Connection: keep-alive
< 
{
  "error": "Unauthorized"
* Connection #0 to host api.adsabs.harvard.edu left intact
}
romanchyla commented 8 years ago

So, this is the info recorded in the database (already expired, so it's fine to have it here):

adsws=> select * from oauth2token where access_token = 'rFMjn5Oq1j7RZdTFgE3jaNHKhAQ0OFVsfDdqYICM';
   id   |                client_id                 | user_id | token_type |               access_token               |              refresh_token               |          expires           |    _scopes    | is_personal | is_internal 
--------+------------------------------------------+---------+------------+------------------------------------------+------------------------------------------+----------------------------+---------------+-------------+-------------
 174630 | 9qtmNcxgY5APiKUpGW2eGall6WgreoUvkHbkXVmV |       1 | bearer     | rFMjn5Oq1j7RZdTFgE3jaNHKhAQ0OFVsfDdqYICM | jG6BY2LE6LDz8j00UYti6xLqG3uPNIpKYaic6DQM | 2016-08-03 18:51:03.477129 | execute-query | f           | t
(1 row)

this is the response from a webserver

< HTTP/1.1 401 UNAUTHORIZED
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Accept, Authorization, Content-Type, Orcid-Authorization, X-BB-Api-Client-Version, X-CSRFToken
< Access-Control-Allow-Methods: DELETE, GET, OPTIONS, POST, PUT
< Access-Control-Allow-Origin: http://localhost:8000, http://ui.adsabs.harvard.edu, https://demo-bumblebee.us-east-1.elasticbeanstalk.com, https://demo.adsabs.harvard.edu, https://ui.adsabs.harvard.edu
< Content-Type: application/json
< Date: Wed, 03 Aug 2016 18:51:37 GMT
* Server nginx/1.8.0 is not blacklisted
< Server: nginx/1.8.0
< Set-Cookie: session=eyJfaWQiOnsiIGIiOiJOVGd5TVRjd01EVmhOREZrWWpkbFkyTXdNRGs0WkRRM05EVmhOMlJqWmpBPSJ9LCJfcGVybWFuZW50Ijp0cnVlfQ.CoPOuQ.5VN_qMyDG7D6auoZaCuobMaLedg; Expires=Sat, 03-Sep-2016 18:51:37 GMT; HttpOnly; Path=/
< Vary: Origin
< Content-Length: 29
< Connection: keep-alive
< 
{
  "error": "Unauthorized"
* Connection #0 to host api.adsabs.harvard.edu left intact
}

It kept responding, once the time passed 18:51:03 - it started sending 401. So that's cool

However, it is weird that BBB was sending some requests that succeeded and some that failed. I'd expect all requests to be failing universally.