search

fractal-analytics-platform / fractal-containers

Containers for testing Fractal
BSD 3-Clause "New" or "Revised" License
1 stars 0 forks source link

Fix error in web-client configuration #3

Closed tcompa closed 11 months ago

tcompa commented 11 months ago 
INFO:     172.23.0.4:40864 - "GET /auth/whoami HTTP/1.1" 401 Unauthorized
INFO:     172.23.0.4:40864 - "GET /api/alive/ HTTP/1.1" 200 OK
CRITICAL:root:I AM IN current_user_dependency
CRITICAL:root:args=()
CRITICAL:root:kwargs={'user_manager': <fractal_server.app.security.UserManager object at 0x7f332846e050>, 'bearerjwt': None, 'strategy_bearerjwt': <fastapi_users.authentication.strategy.jwt.JWTStrategy object at 0x7f3328456990>, 'cookiejwt': None, 'strategy_cookiejwt': <fastapi_users.authentication.strategy.jwt.JWTStrategy object at 0x7f3328457210>}
CRITICAL:root:I AM IN _authenticate
CRITICAL:root:enabled_backends=[<fastapi_users.authentication.backend.AuthenticationBackend object at 0x7f332a43a650>, <fastapi_users.authentication.backend.AuthenticationBackend object at 0x7f332b331790>]
CRITICAL:root:backend=<fastapi_users.authentication.backend.AuthenticationBackend object at 0x7f332a43a650>
CRITICAL:root:backend is enabled
CRITICAL:root:name_to_variable_name(backend.name)='bearerjwt'
CRITICAL:root:token_key='bearerjwt'
CRITICAL:root:(token_key in kwargs.keys())=True
CRITICAL:root:kwargs.get(token_key, 111)=None
CRITICAL:root:token=None
CRITICAL:root:backend=<fastapi_users.authentication.backend.AuthenticationBackend object at 0x7f332b331790>
CRITICAL:root:backend is enabled
CRITICAL:root:name_to_variable_name(backend.name)='cookiejwt'
CRITICAL:root:token_key='cookiejwt'
CRITICAL:root:(token_key in kwargs.keys())=True
CRITICAL:root:kwargs.get(token_key, 111)=None
CRITICAL:root:token=None
CRITICAL:root:BEFORE if-user
CRITICAL:root:user=None
CRITICAL:root:Now re-raising something..
CRITICAL:root:e=HTTPException(status_code=401, detail='Unauthorized')

This is tested with (roughly) 4e283eddf462501579fee4bd7d2d4e164490f6bf, and triggered by trying to log-in.

tcompa commented 11 months ago

Logs are custom logs that we added to _autenthicate, in https://github.com/fastapi-users/fastapi-users/blob/ff9fae631cdae00ebc15f051e54728b3c8d11420/fastapi_users/authentication/authenticator.py#L148.

In kwargs, both cookiejwt and bearerjwt are None, and then the user cannot be identified (and then a 401 is raised).

tcompa commented 11 months ago

Relevant file for re-adding some logs: /usr/local/lib/python3.11/site-packages/fastapi_users/authentication/authenticator.py

tcompa commented 11 months ago

Maybe we need a nginx proxy?

tcompa commented 11 months ago

Setting FRACTAL_CORS_ALLOW_ORIGIN="http://localhost:5173;http://localhost:5173/;localhost:5173;localhost:5173/;0.0.0.0:5173;http://172.18.0.2:5173/;http://192.168.64.2:5173/" in the fractal-server config (as somewhat suggested in https://stackoverflow.com/questions/74019736/cors-fastapi-problem-in-dockerized-deployment-to-digital-ocean) does not seem to make any difference, in my tests.

tcompa commented 11 months ago

Logging here something obtained with 0769d25c8bce0556765831da33907d061d17b18d. I may edit this comment later.

getting the bearer token -> success

The userAuthentication fractal-web function calls /auth/token/login, and gets a 200. response.json() looks like this

{
  access_token: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIiwiYXVkIjpbImZhc3RhcGktdXNlcnM6YXV0aCJdLCJleHAiOjE2OTM0NzU2NjN9.chakNad-f0b0zqljvtvi7T3VJveqGOlcF6FXLoBq5kE',
  token_type: 'bearer'
}

And up to here it's all good.

tcompa commented 11 months ago

calling whoami -> fail

Then we call this function

/**
 * Fetches user identity
 * @param fetch
 * @returns {Promise<*>}
 */
export async function whoami(fetch) {
    const response = await fetch(FRACTAL_SERVER_HOST + '/auth/whoami', {
        method: 'GET',
        credentials: 'include',
        mode: 'cors'
    });

    if (response.ok) {
        return await response.json();
    }
    console.log("WHOAMI RESPONSE JSON");
    console.log(await response.json());

    throw new Error('Unable to fetch user identity');
}

and this one fails, with output

WHOAMI RESPONSE JSON
{ detail: 'Unauthorized' }
Error loading user info
Error: Unable to fetch user identity
    at whoami (file:///app/fractal-web/build/server/chunks/auth_api-160056df.js:28:9)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async load (file:///app/fractal-web/build/server/chunks/0-0a36c584.js:26:20)
    at async load_server_data (file:///app/fractal-web/build/server/index.js:1711:18)
    at async file:///app/fractal-web/build/server/index.js:3068:18
tcompa commented 11 months ago

cookie in browser? yes

The browser storage does include a fastapiusersauth cookie, with 

{
  domain: 'localhost',
  path: '/',
  expires: 2023-08-31T09:58:03.000Z,
  sameSite: 'lax',
  secure: false,
  httpOnly: true
}
tcompa commented 11 months ago

A CORS issue? I don't know..

I tried restarting fractal-server with FRACTAL_CORS_ALLOW_ORIGIN="*", and it did not change anything.

tcompa commented 11 months ago

Some more logs.

I modified the src/lib/server/api/v1/auth_api.js whoami function as in https://www.reddit.com/r/sveltejs/comments/r8jog9/server_requests_with_cookies_solved/how58j6, adding

headers: {
            cookie: request.headers.cookie
        }

to the fetch call. See Screenshot from 2023-09-01 14-06-46

Then, in src/routes/+layout.server.js, I modified the call to whoami to also include request, which I also include as an argument of the load function.

The logs I got are Screenshot from 2023-09-01 14-08-13

This shows that the whoami function "knows" about the correct cookie.

tcompa commented 11 months ago

Possibly relevant:

aangelone2 commented 11 months ago

Solved in 01ff4f by adapting code to pull web client from upstream branch 274-fix-cookie-issue, where issue with cookie blocking has been solved.