sync-by-unito[bot]
commented
2 months ago ➤ PM Bot commented:
Jira ticket: RCORE-2252
Closed sync-by-unito[bot] closed 2 months ago
sync-by-unito[bot]
commented
2 months ago ➤ PM Bot commented:
Jira ticket: RCORE-2252
sync-by-unito[bot]
commented
2 months ago ➤ michael-wb commented:
I just discovered that CURL does not send the Authorization header field on redirect (for obvious security reasons), which results in any user-based app services operations receiving a 401 must authenticate first error if they original endpoint URL responds with a 301/308 redirect message and the request is sent again to the new address in the redirect response. As a result, the user is logged out, since the authenticated response fails.
For most situations, the client app will not encounter this situation, since the location endpoint is requested prior to sending the first app services request after the app was started. This particular situation could happen if the deployment model was changed while the client app was running and the app requested an access token refresh. Fortunately, the user was automatically logged out when the deployment model was changed, so the user would need to log in again anyways.
A potential fix for this would be to always query the location prior to performing a login, which will help ensure the client app has the appropriate base URL for the server, since the location response always includes the most up to date information for the server host and websocket host URLs for accessing the cloud app.
sync-by-unito[bot]
commented
2 months ago ➤ michael-wb commented:
Example wireshark capture of request packets and their responses Original request:
GET /api/client/v2.0/auth/profile HTTP/1.1
Host: localhost:63526
Accept: application/json
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJiYWFzX2RldmljZV9pZCI6IjY2ZDA4NmYyMjgzODhiMjkxYzg4MjJjYSIsImJhYXNfZG9tYWluX2lkIjoiNjZkMDg2ZDgyODM4OGIyOTFjODgyMTM2IiwiZXhwIjoxNzI0OTQzODY2LCJpYXQiOjE3MjQ5NDIwNjYsImlzcyI6IjY2ZDA4NmYyMjgzODhiMjkxYzg4MjJjYyIsImp0aSI6IjY2ZDA4NmYyMjgzODhiMjkxYzg4MjJjZSIsInN0aXRjaF9kZXZJZCI6IjY2ZDA4NmYyMjgzODhiMjkxYzg4MjJjYSIsInN0aXRjaF9kb21haW5JZCI6IjY2ZDA4NmQ4MjgzODhiMjkxYzg4MjEzNiIsInN1YiI6IjY2ZDA4NmYyMjgzODhiMjkxYzg4MjJjOCIsInR5cCI6ImFjY2VzcyJ9.j9qgcsjdTCgfuLOEuN1IL141jBmFwisZJet1VFrK7zI
Content-Type: application/json;charset=utf-8Redirect response:
HTTP/1.1 301 Moved Permanently
location: http://localhost:9090/api/client/v2.0/auth/profile
<html><body><p>301 Moved Permanently to <a href="http://localhost:9090/api/client/v2.0/auth/profile">http://localhost:9090/api/client/v2.0/auth/profile</a></p></body></html>Request to redirected location URL:
GET /api/client/v2.0/auth/profile HTTP/1.1
Host: localhost:9090
Accept: application/json
Content-Type: application/json;charset=utf-8Response from redirect location URL:
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/json
Strict-Transport-Security: max-age=31536000; includeSubdomains;
Vary: Origin
X-Appservices-Request-Id: 66d086f228388b291c8822cf
X-Envoy-Max-Retries: 0
X-Frame-Options: DENY
Date: Thu, 29 Aug 2024 14:34:26 GMT
Content-Length: 24
{"error":"unauthorized"}
Update the CURL lib driver (
do_http_request()) so it handles redirects and either add a new test run that forces redirects to happen or updates the existing "Ubuntu (Baas Redirector Enabled)" and "Ubuntu (Code Coverage)" test runs to also perform App Services redirects during the tests.