Authentication

[T1mey]

Hi @gregorwolf ,

I just tested the authentication of my service and it is accessible without authentication.

I added the strategy as here: https://github.com/gregorwolf/pg-beershop/blob/2f9a5e81408a749a4e806d43119e927325d48d34/package.json#L91

I assmed that even in SAP BAS a xsuaa auth is goint to be forced. But there no auth. is coiming up ( I confgured default-env.json and xs-security.sjon).

cds env list requires.uaa is returnung undefined.

[gregorwolf]

Please have a look at the developer tools network tab when you open the app in an incognito window. You will see that you're authenticated via the SAP ID Service (https://accounts.sap.com).

[T1mey]

I can access my deployed application (btp) without any authentication. BTP is configured to our corp. IDP. So if I open the URL (in private session) of the CAP srv app it's not forcing me to authenticate.

[gregorwolf]

It's normal that this page is shown for the srv part of the CAP applications. Have you tried accessing one of the services? It should give you an access denied. If you want to disable that this page is shown Please check out CAP Release Notes from January 2021 -> cds.server provides an option to switch off automatically generated index.html served at /: Do that in a custom server.js:

[T1mey]

The page is not really the problem. But my service is delivering data out of the db without auth.

[gregorwolf]

Can you replicate the issue with the pg-beershop project? You can try my deployment at https://07fc19abtrial-dev-pg-beershop-srv.cfapps.eu10.hana.ondemand.com/ and you will see that all entities are protected.

[gregorwolf]

You can only access via the Approuter at https://07fc19abtrial-dev-pg-beershop-app.cfapps.eu10.hana.ondemand.com (please not that due to this running on SAP BTP trial the endpoints will only work in the next hours.

[T1mey]

Hi @gregorwolf ,

you're right your SAPUI5 frontend is protected by the managed app router, which routes the calls to the srv_api destination. In my case this is protected as well.

BUT if you invoke the odata service with the direct URL (I do not know the URL for you account) is is unprotected.

[gregorwolf]

If you can replicate the issue with the pg-beershop app then send me a link to your deployment. You might use your SAP BTP Trial account to not share the corporate one.

[T1mey]

Can you copy the URL (under app. routes) and open this in a private browser session ?

[gregorwolf]

I can't access your subaccount. How should I copy that?

[T1mey]

I meant in yours...

[gregorwolf]

[T1mey]

ok. Thanks a lot.... Have to check why this is not working for me.

[T1mey]

Ah I see my mistake... You're using an own approuter for your UI5 apps.

- name: pg-beershop-app
    type: nodejs
    path: app
    build-parameters:
      ignore: ["node_modules/"]
    parameters:
      memory: 256M
      disk-quota: 1024M
    requires:
     - name: pg-beershop-destination-service
     - name: pg-beershop-uaa
     - name: srv-api
       group: destinations
       properties:
          forwardAuthToken: true
          strictSSL: false
          name: srv_api
          url: ~{srv-url}

I'm deploying my apps to the html5 repo and I need now to protect my cap project with xsuaa. I thought a require to xsuaa service would be enough... but it isn't

[T1mey]

@gregorwolf

Is it a good idea to add to my server.js

passport.use(new JWTStrategy(xsenv.getServices({xsuaa:{tag:'xsuaa'}}).xsuaa));

cds.on("bootstrap", app => app.use(passport.initialize()));
cds.on("bootstrap", app => app.use(passport.authenticate('JWT', { session: false })));

Or do I override with that the CAP handling for authentication ?

[gregorwolf]

I never had to do that. If you have the authentication issues with your own application then please hire me as a consultant and I will help you there. If you can replicate the issue with the current pg-beershop main branch then we can continue here.