Api-Token gets invalidated when Restarting Client-Application

snipe / snipe-it

A free open source IT asset/license management system

https://snipeitapp.com

GNU Affero General Public License v3.0

11.08k stars 3.18k forks source link

Api-Token gets invalidated when Restarting Client-Application #13684

Open spammads opened 1 year ago

spammads commented 1 year ago

Debug mode

[X] I have enabled debug mode
[X] I have read checked the Common Issues page

Describe the bug

Thanks for the great app. I create a Api-Token. It works unless I restart my client app. Then I get the response, that this token is no longer valid. Seems there is some kind of fingerprinting active!?

Reproduction steps

Create Api Token under User-Settings
Authenticate via Bearer Token
Restart Client-App
Bearer Token is not valid anymore

Expected behavior

Api Token should be valid for 20 years as described in the documentation.

Screenshots

No response

Snipe-IT Version

6.3.0

Operating System

Talos 1.5.2

Web Server

Apache (Dockerfile)

PHP Version

8.1.0

Operating System

No response

Browser

No response

Version

No response

Device

No response

Operating System

No response

Browser

No response

Version

No response

Error messages

No response

Additional context

No response

welcome[bot] commented 1 year ago

👋 Thanks for opening your first issue here! If you're reporting a 🐞 bug, please make sure you include steps to reproduce it. We get a lot of issues on this repo, so please be patient and we will get back to you as soon as we can.

spammads commented 1 year ago

Btw: I set Api-Throttling to 5000 via Env-Vars. But this does not resolve this issue.

snipe commented 1 year ago

Btw: I set Api-Throttling to 5000 via Env-Vars. But this does not resolve this issue.

API throttling wouldn't matter here - that just handles how many requests per minute/hour will be permitted before throwing a "too many requests" response.

Can you re-clarify the version of Snipe-IT you're using please. You stated 6.3.0, but that version doesn't exist.

spammads commented 1 year ago

Ah. Sorry. I misread. Its 6.2.0.

spammads commented 1 year ago

First I got the impression that this occurs when the client-app is restarted. But now it occurs when the Snipe-It-Container is restarted (I use docker). Though I can see the Token is persisted between restarts it appears to not be valid anymore.

BenGig commented 1 year ago

Can confirm the behavior. We run it on Kubernetes, whenever the pods gets restarted the tokens get invalid.

We fixed it by using a persistent volume mounted over /var/lib/snipeit. As long as the keys aren't stored in the persistent storage (database), this is the only way for Docker containers, as everything stored inside is ephemeral. Maybe you can add it to the documentation for Docker setups.

dem972 commented 1 year ago

Hey , Looks like I'm facing the same issue, the pod can be moved to another node or restarting. Then Im loosing the access and got 401 with api. Mounting will not really help for me since the pod moving node, was thinking if there is a wey to force api token or store it on s3.