Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: authenticate app with daemon #1298

Open
IGassmann opened this issue Apr 6, 2018 · 10 comments
Open

feat: authenticate app with daemon #1298

IGassmann opened this issue Apr 6, 2018 · 10 comments
Labels
area: daemon area: devops level: 2 Some knowledge of the existing code is recommended type: improvement Existing (or partially existing) functionality needs to be changed type: task Either work that's not related to the code, or a small chore that does not fit into other categories

Comments

@IGassmann
Copy link
Contributor

Authentification available with daemon v0.20.0rc6.
@tzarebczan tzarebczan added type: improvement Existing (or partially existing) functionality needs to be changed level: 2 Some knowledge of the existing code is recommended area: devops area: daemon type: task Either work that's not related to the code, or a small chore that does not fit into other categories and removed needs: triage labels Apr 18, 2018
@tzarebczan
Copy link
Contributor

tzarebczan commented May 4, 2018
edited
Loading

Currently getting:

{
  "error": {
    "code": -32500,
    "data": [],
    "message": "InvalidHeaderError"
  },
  "id": null,
  "jsonrpc": "2.0"
}



Request URL:http://localhost:5279/
Request Method:POST
Status Code:200 OK
Remote Address:127.0.0.1:5279
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Accept:application/json-rpc
Content-Length:127
Content-Type:application/json
Date:Fri, 04 May 2018 12:57:15 GMT
Server:TwistedWeb/16.6.0
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:en-US
Connection:keep-alive
Content-Length:66
content-type:text/plain;charset=UTF-8
Host:localhost:5279
Origin:http://localhost:9080
Referer:http://localhost:9080/
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) LBRY/1.8.4 Chrome/59.0.3071.115 Electron/1.8.4 Safari/537.36
X-DevTools-Request-Id:143216.26
Request Payload
view source
{jsonrpc: "2.0", method: "status", params: {}, id: 1525438635185}
id
:
1525438635185
jsonrpc
:
"2.0"
method
:
"status"
params
:
{}

daemon shows:
2018-05-04 09:00:10,338 WARNING lbrynet.daemon.auth.server:382: Attempted api call from invalid Origin: http://localhost:9080

@kauffj
Copy link
Member

kauffj commented May 4, 2018

@tzarebczan I got this yesterday as well. My daemon did not have an allowed_origin setting at all. It worked if allowed_origin was *.

The relevant daemon side check is here https://github.com/lbryio/lbry/blob/master/lbrynet/daemon/auth/server.py#L398

We need to figure out if the daemon just needs to provide a default setting or if the app needs to change this setting at install time.

@tzarebczan
Copy link
Contributor

@kauffj spoke to @IGassmann last week and he said it should be done from the app side. @IGassmann, is setting allowed_origin to * the correct way to implement this?

This also happens in non-dev mode as well.

@tzarebczan
Copy link
Contributor

These are the changes Jack made which should help us understand how the app should authenticate - it would need to create a handshake with the daemon: lbryio/lbry-sdk@743ae59#diff-2571ced04af2d940be952f29361a40a0R160

Notes:


To start an authenticated session a client sends an HTTP POST to <user>:<password>@<api host>:<api port>.

 If accepted, the server replies with a TWISTED_SESSION cookie containing a session id and the message "OK".
The client initializes their shared secret for hmac to be the b64 encoded sha256 of their session id.

To send an authenticated request a client sends an HTTP POST to the auth api url with the TWISTED_SESSION cookie and includes a hmac token in the message using the previously set shared secret. If the token is valid the server will randomize the shared secret and return the new value under the LBRY_SECRET header, which the client uses to generate the token for their next request.

@kauffj
Copy link
Member

kauffj commented May 8, 2018

@tzarebczan please get issues created app side.

More importantly, the sprint and release process needs to better handle this and this should be discussed in an upcoming retrospective (@jackrobison @lyoshenka @eukreign). If a daemon upgrade requires all apps using it to change their behavior in how they call it, this ought to be extremely prominently mentioned in release notes, and we ought to be identifying these issues and creating tickets appropriately (or at least letting key team members know).

@tzarebczan
Copy link
Contributor

tzarebczan commented May 9, 2018
edited
Loading

@kauffj agreed but I think there is some confusion. This was the issue created as a result of communication between Jack and Igor - which was to enable the app to use http authentication (not currently doing so). It's not a mandatory setting, so all previous apps should work correctly without it.

The confusion lies in some other changes that went along with this which is causing the app/daemon communication problem - I'm trying to debug the source of the issue and will work with Jack to fix it.

@tzarebczan
Copy link
Contributor

Findings:

dev mode:
2018-05-09 14:44:46,332 INFO     lbrynet.daemon.auth.server:380: header: Origin:
2018-05-09 14:44:46,332 INFO     lbrynet.daemon.auth.server:388: source: http://localhost:9080:
2018-05-09 14:44:46,332 INFO     lbrynet.daemon.auth.server:402: server/port: localhost:9080
2018-05-09 14:44:46,332 WARNING  lbrynet.daemon.auth.server:383: Attempted api call from invalid Origin: http://localhost:9080

non dev:
2018-05-09 13:55:46,967 INFO     lbrynet.daemon.auth.server:380: header: Origin:
2018-05-09 13:55:46,967 INFO     lbrynet.daemon.auth.server:388: source: null:
2018-05-09 13:55:46,967 INFO     lbrynet.daemon.auth.server:402: server/port: :80
2018-05-09 13:55:46,967 WARNING  lbrynet.daemon.auth.server:383: Attempted api call from invalid Origin: null
2018-05-09 13:55:46,969 WARNING  lbrynet.daemon.auth.server:211: error processing api request: InvalidHeaderError

Postman jsonrpc:

2018-05-11 09:58:01,785 INFO     lbrynet.daemon.auth.server:380: header: Origin:
2018-05-11 09:58:05,637 INFO     lbrynet.daemon.auth.server:388: source: None:
2018-05-11 09:58:05,638 INFO     lbrynet.daemon.auth.server:380: header: Referer:
2018-05-11 09:58:05,638 INFO     lbrynet.daemon.auth.server:388: source: None:

Not sure if it's the app doing something wrong, or if lbry side needs to be fixed.

@lyoshenka lyoshenka added the priority: blocker Issue is blocking release, do ASAP label May 15, 2018
@tzarebczan
Copy link
Contributor

@jackrobison / @lyoshenka will be looking into this from the daemon side to ensure it's implemented properly.

@tzarebczan tzarebczan removed the priority: blocker Issue is blocking release, do ASAP label Jun 10, 2018
@tzarebczan
Copy link
Contributor

This check was removed from the daemon for now.

@alyssaoc
Copy link
Contributor

@tzarebczan and @jackrobison What is the status of this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area: daemon area: devops level: 2 Some knowledge of the existing code is recommended type: improvement Existing (or partially existing) functionality needs to be changed type: task Either work that's not related to the code, or a small chore that does not fit into other categories
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@lyoshenka @kauffj @IGassmann @liamcardenas @tzarebczan @jackrobison @alyssaoc @lbry-bot