Kong: Bug: 1.4.0rc1 basic-auth password should not be required

Created on 7 Oct 2019  路  3Comments  路  Source: Kong/kong

Summary

With Kong 1.4.0rc1, password is a required field for creating basic-auth passwords.
While, this change makes total sense as the API never returns back an auto-generated password in plain-text, this is a breaking change.

Steps To Reproduce

# start Kong 1.4.0rc1
http :8001/consumers username=foo
HTTP/1.1 201 Created
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 115
Content-Type: application/json; charset=utf-8
Date: Mon, 07 Oct 2019 02:21:43 GMT
Server: kong/1.4.0rc1
X-Kong-Admin-Latency: 9

{
    "created_at": 1570414903,
    "custom_id": null,
    "id": "2405d5c9-4547-4032-a1cb-832a0cda4c1a",
    "tags": null,
    "username": "foo"
}

http :8001/consumers/foo/basic-auth username=foo
HTTP/1.1 400 Bad Request
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 147
Content-Type: application/json; charset=utf-8
Date: Mon, 07 Oct 2019 02:22:06 GMT
Server: kong/1.4.0rc1
X-Kong-Admin-Latency: 1

{
    "code": 2,
    "fields": {
        "password": "required field missing"
    },
    "message": "schema violation (password: required field missing)",
    "name": "schema violation"
}

Additional Details & Logs

  • Kong version ($ kong version): 1.4.0rc1
pending author feedback
Source
picture hbagdi

Most helpful comment

As I said in the original post, this change is totally valid and makes sense as the previous behavior was unusable. I agree that we can classify this as a bug and change the behavior.

We should make it a point to call this out in the changelog (which we don't do at the moment in rc1 branch).

picture hbagdi on 7 Oct 2019
👍3

All 3 comments

@hbagdi, why it should not be required? The password is hashed. So even if the source for the hashing function is auto-generated, you cannot never find out what was the source, unless you brute force such password. So that makes autogenerated passwords totally useless. Thus password must be required. It is breaking change, as it fixes a bug (thus not really breaking anything). The credentials that are available only for a some millisecond in memory are totally useless. Almost same as no credential at all. We discussed this already with @hishamhm, before we went ahead with the decision.

bungle picture bungle on 7 Oct 2019

As I said in the original post, this change is totally valid and makes sense as the previous behavior was unusable. I agree that we can classify this as a bug and change the behavior.

We should make it a point to call this out in the changelog (which we don't do at the moment in rc1 branch).

hbagdi picture hbagdi on 7 Oct 2019
👍3

@hbagdi thanks for clarification! we are on same page!

bungle picture bungle on 7 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rucciva picture rucciva  路  3Comments
antoniott15 picture antoniott15  路  3Comments
ghost picture ghost  路  3Comments
lavoiedn picture lavoiedn  路  3Comments
hbagdi picture hbagdi  路  3Comments