search

marmelab / ng-admin

Add an AngularJS admin GUI to any RESTful API
http://ng-admin-book.marmelab.com/
MIT License
3.95k stars 725 forks source link

Authentication Problems #1064

Closed exylian closed 8 years ago

exylian commented 8 years ago

So first of all it's my first usage with ng-admin... Just want to try some things.

Problem is that my Rest Api requires Basic Authentication. So I've set it up as it's explained but it doesn't work... When i watch at my Http Header there is no Auth Info within.

My Current Code looks like

` (function () { "use strict";

var myApp = angular.module('myApp', ['ng-admin']);

myApp.config(['RestangularProvider', function(RestangularProvider) {
    var login = 'admin',
        password = 'admin',
        token = window.btoa(login + ':' + password);
    RestangularProvider.setDefaultHeaders({'authorization': 'Basic ' + token});
}]);

myApp.config(['NgAdminConfigurationProvider', function (NgAdminConfigurationProvider) {
    var nga = NgAdminConfigurationProvider

    var admin = nga.application('Testing')
    .baseApiUrl('http://127.0.0.1:8080/');

    var category = nga.entity('categories');
    category.listView().fields([
        nga.field('id'),
        nga.field('parent'),
        nga.field('name')
    ]);

admin.addEntity(category)

nga.configure(admin);

}]);

}()); `

Do I overlook something?

sam2x commented 8 years ago

Not sure it's related to ng-admin. Looks to me like a CORS policy missing when preflighted requests occurs. Have you "authorization" in the Access-Control-Allow-Headers of server response ?

exylian commented 8 years ago

Yeah already checked this, too

Maybe it helps:

The header looks like:

OPTIONS /categories?_page=1&_perPage=30&_sortDir=DESC&sortField=id HTTP/1.1 Host: 127.0.0.1:8080 Accept: /_ Accept-Encoding: gzip, deflate, sdch Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 Access-Control-Request-Headers: accept, authorization Access-Control-Request-Method: GET Origin: http://admin.local Referer: http://admin.local/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

HTTP/1.1 401 Unauthorized Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: accept, authorization Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: http://admin.local Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Thu, 12 May 2016 15:57:33 GMT Expires: 0 Pragma: no-cache Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=FE882220C27C9335FF8370CAB87CCC70; Path=/; HttpOnly Vary: Origin WWW-Authenticate: Basic realm="Realm" X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

sam2x commented 8 years ago

I don't know if it's your problem , but your host header request (127.0.0.1:8080) is not the same as the origin (http://admin.local). Can you replace 

  .baseApiUrl('http://127.0.0.1:8080/');

To:

  .baseApiUrl('http://admin.local:8080');

I mean, check to have same port, same hostname (check your /etc/hosts) and the url used in browser when you access to your admin panel. I have run in same problem in my local dev environment, where my origin werent the same declared in the app/server.

exylian commented 8 years ago

Unfortunately no change :(

OPTIONS /categories?_page=1&_perPage=30&_sortDir=DESC&sortField=id HTTP/1.1 Host: admin.local:8080 Accept: /_ Accept-Encoding: gzip, deflate, sdch Accept-Language: de-DE,de;q=0.8,en-US;q=0.6,en;q=0.4 Access-Control-Request-Headers: accept, authorization Access-Control-Request-Method: GET Origin: http://admin.local Referer: http://admin.local/ User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

HTTP/1.1 401 Unauthorized Access-Control-Allow-Credentials: true Access-Control-Allow-Headers: accept, authorization Access-Control-Allow-Methods: GET Access-Control-Allow-Origin: http://admin.local Allow: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS, PATCH Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Length: 0 Date: Fri, 13 May 2016 11:49:05 GMT Expires: 0 Pragma: no-cache Server: Apache-Coyote/1.1 Set-Cookie: JSESSIONID=439CB14051294B2DE73C968AADDBC6E7; Path=/; HttpOnly Vary: Origin WWW-Authenticate: Basic realm="Realm" X-Content-Type-Options: nosniff X-Frame-Options: DENY X-XSS-Protection: 1; mode=block

sam2x commented 8 years ago

Your request go to admin.local:8080 when your origin is still admin.local.

Your environment should be : Server : admin.local Rest-endpoint : admin.local

Here you have : Server: admin.local Rest-endpoint: admin.local:8080

So there is a violation of the CORS. You should have same protocol/host/port. 2solutions:

1) Route your rest-endpoint in your own server. 2) Allow another origin (not advised in production environment).

Example for 2) with nodejs (code is inside a middleware at the root app)

 app.use(function(req, res, next){
      if (dev){
        res.header('Access-Control-Allow-Origin', 'http://yourlocaldomain'); 
        res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,OPTIONS');
        res.header('Access-Control-Allow-Headers', 'Content-Type,X-Total-Count,Authorization');
        res.header('Access-Control-Allow-Credentials', 'true');
    }

Also go check if you have RestangularProvider.setDefaultHttpFields({withCredentials: true}); https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials

In either case, you should go ask in Restangular github, ng-admin is just an interface, it doesnt deal with underlying network api.

fzaninotto commented 8 years ago

I second @sam2x, this is not a bug in ng-admin, nor a ng-admin usage problem ; ask the Restangular guys instead.