Prisma1: Authentication token invalid on new service

Created on 13 Nov 2018 · 12Comments · Source: prisma/prisma1

Describe the bug
I'm trying to create a new service on my new Heroku-hosted Prisma server. I've succesfully created the server, and it displays the playground when accessing it. However, when trying to create a service on the server, I get the following error:

Creating stage dev for service heroku-database

ERROR: Authentication token is invalid: Token can't be decoded: Invalid signature for this token or wrong algorithm.

{
  "data": {
    "addProject": null
  },
  "errors": [
    {
      "locations": [
        {
          "line": 2,
          "column": 9
        }
      ],
      "path": [
        "addProject"
      ],
      "code": 3015,
      "message": "Authentication token is invalid: Token can't be decoded: Invalid signature for this token or wrong algorithm.",
      "requestId": "local:management:cjofwmfmt00050684141qxrsn"
    }
  ],
  "status": 200
}

NOTE THE REQUEST ID: For some reason, it says local:management, even though it's trying to deploy to an external server. Not sure if this is important, but it might be.

To Reproduce
Steps to reproduce the behavior:

Host server on Heroku (although hosting provider shouldn't matter)
Add the server on app.prisma.io
Run prisma init heroku-database and select the server (while logged in to the same user) and defaults (note: dev stage, as used in endpoint below)
cd heroku-database
Change prisma.yml to reference env vars for endpoint and secret
Create .env file (.heroku.env) with values for endpoint and secret
yarn prisma deploy -e .heroku.env

where .heroku.env contains

PRISMA_ENDPOINT="https://app-name.herokuapp.com/heroku-database/dev"
PRISMA_SECRET="my-prisma-secret"
PRISMA_MANAGEMENT_API_SECRET="some-management-secret"

and prisma.yml is

endpoint: ${env:PRISMA_ENDPOINT}
secret: ${env:PRISMA_SECRET}
datamodel: datamodel.graphql

Expected behavior
I expect my new service to be created and the schema supplied in prisma.yml under datamodel to be deployed.

Versions (please complete the following information):

OS: OS X Mojave 10.14.1
prisma CLI: prisma/1.15.1 (darwin-x64) node-v10.9.0
Prisma Server: 1.19.3

Link to reproduction repo
https://github.com/jhalborg/prisma-heroku-token-replication

This even omits the secret field in the config, as the error is reproducible without it.

Source

jhalborg

Most helpful comment

After a fairly long debugging session with @divyenduz and pantharshit00, we finally found the issue.

TL;DR

Logout of the prisma CLI
Deploy the service, and make sure the env var PRISMA_MANAGEMENT_API_SECRET is set - either as a PATH variable, or by using .env files.

The reason for the issue is that the management secret would be overwritten by the Prisma CLI's account with an incorrect value. I'm not 100% sure on the particulars, but the solution was found after trying to cat ~/.prisma/config.yml and seeing that it has a cloudSessionKey, i.e.

cloudSessionKey: >-
  eyJhbGciOiJIUzINiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJjamhpd2UxbjE2ZWxjMGE5Mms3b2Y1bmJ6IiwiaWF0IjoxNTQzMzE1NTg1LCJleHAiOjE1NDU5MDc1ODV9.Xccf0C-HCg0EuRH32DNMHqjTFjgI-w8KYcVpXA2tbjs
clusters: {}

Logging out of the CLI removes that key, leaving only clusters: {} in the config, so the CLI instead uses the passed in secret.

In our opinion, this is a bug, and an explicitly passed value should take priority over this implicit value, so I've created a bug report here

Thanks for the help to all that did 😄

jhalborg on 27 Nov 2018

👍3

All 12 comments

Just tried deleting my old prisma.yml and just use the CLI generated one where secret isn't defined, and I get the exact same error:

endpoint: https://appname.herokuapp.com/another/dev
datamodel: datamodel.graphql

My config.yml on my Prisma server looks like this:

port: ${PORT}
managementApiSecret: ${PRISMA_MANAGEMENT_API_SECRET}
databases:
  default:
    connector: mysql
    host: ${SQL_HOST}
    port: 3306
    database: ${DB_NAME}
    schema: public
    user: ${DB_USER}
    password: ${SQL_PASSWORD}
    migrations: true
    active: true

As far as I know, secret isn't supposed to be used on the Prisma server itself - only management-secret, and then the secret is instead defined in the service definition, correct?

jhalborg on 13 Nov 2018

Just tried setting EXPORT DEBUG="*" and get the following output:

config CWD /Users/myname/Documents/git/project-name +0ms
  config HOME /Users/myname +3ms
  config definitionDir /Users/myname/Documents/git/project-name +0ms
  config definitionPath /Users/myname/Documents/git/project-name/prisma.yml +0ms
  cli { isGlobal: false } +0ms
  StatusChecker setting status checker +0ms
  cli command id deploy +4ms
  cli:plugincache Got plugin from cache +0ms
  cli:plugincache /Users/myname/Library/Caches/prisma/plugins.json +1ms
  cli:plugincache Got plugin from cache +0ms
  cli:plugincache /Users/myname/Library/Caches/prisma/plugins.json +0ms
  plugins findCommand prisma-cli-core +0ms
  plugin requiring command +0ms
  cli-engine:plugins:manager requiring /Users/myname/Documents/git/project-name/node_modules/prisma-cli-core +0ms
  cli-engine:plugins:manager required +1s
  plugin required command +1s
  Environment saving global rc +0ms
  StatusChecker setting status checker +1s
  prisma definition making cluster here +0ms
  client Initializing cluster client +0ms
  deploy checking if project exists +0ms
  client Sending query to cluster heroku-stage +126ms
  client https://afternoon-lake-39446.herokuapp.com/management +0ms
  client
  client       query($name: String! $stage: String!) {
  client         project(name: $name stage: $stage) {
  client           name
  client           stage
  client         }
  client       }
  client      +0ms
  client { name: 'new', stage: 'stage' } +0ms
  deploy adding project +2s

Creating stage stage for service new...  client Sending query to cluster heroku-stage +2s
  client https://afternoon-lake-39446.herokuapp.com/management +0ms
  client       mutation addProject($name: String! $stage: String! $secrets: [String!]) {
  client         addProject(input: {
  client           name: $name,
  client           stage: $stage
  client           secrets: $secrets
  client         }) {
  client           project {
  client             name
  client           }
  client         }
  client       }
  client        +0ms
  client { name: 'new', stage: 'stage', secrets: null } +0ms
 !
Error: Authentication token is invalid: Token can't be decoded: Invalid signature for this token or wrong algorithm.: {"response":{"data":{"addProject":null},"errors":[{"locations":[{"line":2,"column":9}],"path":["addProject"],"code":3015,"message":"Authentication token is invalid: Token can't be decoded: Invalid signature for this token or wrong algorithm.","requestId":"local:management:cjogveaqc00090626xmiob6x4"}],"status":200},"request":{"query":"      mutation addProject($name: String! $stage: String! $secrets: [String!]) {\n        addProject(input: {\n          name: $name,\n          stage: $stage\n          secrets: $secrets\n        }) {\n          project {\n            name\n          }\n        }\n      }\n      ","variables":{"name":"new","stage":"stage","secrets":null}}}
    at GraphQLClient.<anonymous> (/Users/myname/Documents/git/project-name/node_modules/graphql-request/src/index.ts:72:13)
    at step (/Users/myname/Documents/git/project-name/node_modules/graphql-request/dist/src/index.js:40:23)
    at Object.next (/Users/myname/Documents/git/project-name/node_modules/graphql-request/dist/src/index.js:21:53)
    at fulfilled (/Users/myname/Documents/git/project-name/node_modules/graphql-request/dist/src/index.js:12:58)
    at process._tickCallback (internal/process/next_tick.js:68:7)
Exiting with code: 1
error Command failed with exit code 1.

I also tried switching to a -heroku image (1.20.4-heroku), but I'm not sure if I'm supposed to/need to?

Furthermore, I tried both with and without a secret:

endpoint: https://afternoon-lake-39446.herokuapp.com/new/stage
datamodel: datamodel.graphql
# secret: mysecret

Same error

jhalborg on 14 Nov 2018

@jhalborg : Can you please try by removing the quotes from the environment, making it look like:-

PRISMA_ENDPOINT=https://app-name.herokuapp.com/heroku-database/dev
PRISMA_SECRET=my-prisma-secret

Ideally, this should work with and without the quotes, I will try to reproduce it today.

divyenduz on 14 Nov 2018

@divyenduz - Thanks, but that doesn't work. Also, it breaks syntax highlightning, so I'm pretty sure it's not valid.

Furthermore, I tried removing the .env part as a factor by not using it, as mentioned in my followup comments. I even tried removing secret as a factor as well, by simly not having a secret.

This means that I can now reproduce the same error by simply

prisma init
Select the server
prisma deploy

I'd really appreciate some help here, it's a bit of a blocker for me :-)

Can you clarify wether I need the -heroku images when hosting on Heroku, or if those are just for your own Heroku integration? What is the difference between those images and the regular ones?

jhalborg on 14 Nov 2018

Log output from the Prisma server on Heroku:

2018-11-21T16:22:33.427547+00:00 heroku[router]: at=info method=POST path="/management" host=afternoon-lake-39446.herokuapp.com request_id=7251ba16-729e-4716-8fb4-acf48433506a fwd="85.191.188.121" dyno=web.1 connect=1ms service=26ms status=200 bytes=560 protocol=https
2018-11-21T16:22:33.577244+00:00 heroku[router]: at=info method=POST path="/management" host=afternoon-lake-39446.herokuapp.com request_id=355acf90-9209-4bc0-b652-f74aad2d161b fwd="85.191.188.121" dyno=web.1 connect=0ms service=26ms status=200 bytes=588 protocol=https
2018-11-21T16:22:33.426841+00:00 app[web.1]: {"key":"error/handled","requestId":"local:management:cjordm8qn000x06529nmmpbfr","payload":{"exception":"com.prisma.deploy.schema.InvalidToken: Authentication token is invalid: Token can't be decoded: Invalid signature for this token or wrong algorithm.","query":"\n      query($name: String! $stage: String!) {\n        project(name: $name stage: $stage) {\n          name\n          stage\n        }\n      }\n    ","variables":"{\"name\":\"brandheroes-backend\",\"stage\":\"stage\"}","code":"3015","stack_trace":"com.prisma.deploy.server.auth.SymmetricManagementAuth.$anonfun$verify$1(SymmetricManagementAuth.scala:31)\\n scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)\\n scala.util.Try$.apply(Try.scala:209)\\n com.prisma.deploy.server.auth.SymmetricManagementAuth.verify(SymmetricManagementAuth.scala:15)\\n com.prisma.deploy.schema.SchemaBuilderImpl.verifyAuthOrThrow(SchemaBuilder.scala:282)\\n com.prisma.deploy.schema.SchemaBuilderImpl.$anonfun$projectField$1(SchemaBuilder.scala:134)\\n sangria.execution.Resolver.resolveField(Resolver.scala:1024)\\n sangria.execution.Resolver.$anonfun$collectActionsPar$1(Resolver.scala:445)\\n scala.collection.TraversableOnce.$anonfun$foldLeft$1(TraversableOnce.scala:157)\\n scala.collection.TraversableOnce.$anonfun$foldLeft$1$adapted(TraversableOnce.scala:157)\\n scala.collection.Iterator.foreach(Iterator.scala:929)\\n scala.collection.Iterator.foreach$(Iterator.scala:929)\\n scala.collection.AbstractIterator.foreach(Iterator.scala:1417)\\n scala.collection.IterableLike.foreach(IterableLike.scala:71)\\n scala.collection.IterableLike.foreach$(IterableLike.scala:70)\\n scala.collection.AbstractIterable.foreach(Iterable.scala:54)\\n scala.collection.TraversableOnce.foldLeft(TraversableOnce.scala:157)\\n scala.collection.TraversableOnce.foldLeft$(TraversableOnce.scala:155)\\n scala.collection.AbstractTraversable.foldLeft(Traversable.scala:104)\\n sangria.execution.Resolver.collectActionsPar(Resolver.scala:439)\\n sangria.execution.Resolver.resolveFieldsPar(Resolver.scala:45)\\n sangria.execution.Executor.executeOperation(Executor.scala:155)\\n sangria.execution.Executor.$anonfun$execute$7(Executor.scala:97)\\n scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:302)\\n scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)\\n scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)\\n akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)\\n akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)\\n scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)\\n scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)\\n akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)\\n akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)\\n akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:43)\\n akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)\\n akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)\\n akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)\\n akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)","message":"Authentication token is invalid: Token can't be decoded: Invalid signature for this token or wrong algorithm."}}
2018-11-21T16:22:33.581862+00:00 app[web.1]: {"key":"error/handled","requestId":"local:management:cjordm8uw000y06523e3opqrg","payload":{"exception":"com.prisma.deploy.schema.InvalidToken: Authentication token is invalid: Token can't be decoded: Invalid signature for this token or wrong algorithm.","query":"      mutation addProject($name: String! $stage: String! $secrets: [String!]) {\n        addProject(input: {\n          name: $name,\n          stage: $stage\n          secrets: $secrets\n        }) {\n          project {\n            name\n          }\n        }\n      }\n      ","variables":"{\"name\":\"brandheroes-backend\",\"stage\":\"stage\",\"secrets\":null}","code":"3015","stack_trace":"com.prisma.deploy.server.auth.SymmetricManagementAuth.$anonfun$verify$1(SymmetricManagementAuth.scala:31)\\n scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)\\n scala.util.Try$.apply(Try.scala:209)\\n com.prisma.deploy.server.auth.SymmetricManagementAuth.verify(SymmetricManagementAuth.scala:15)\\n com.prisma.deploy.schema.SchemaBuilderImpl.verifyAuthOrThrow(SchemaBuilder.scala:282)\\n com.prisma.deploy.schema.SchemaBuilderImpl.$anonfun$addProjectField$3(SchemaBuilder.scala:217)\\n sangria.relay.Mutation$.$anonfun$fieldWithClientMutationId$3(Mutation.scala:41)\\n sangria.execution.Resolver.resolveField(Resolver.scala:1024)\\n sangria.execution.Resolver.resolveSingleFieldSeq(Resolver.scala:236)\\n sangria.execution.Resolver.$anonfun$resolveSeq$2(Resolver.scala:216)\\n scala.concurrent.Future.$anonfun$flatMap$1(Future.scala:302)\\n scala.concurrent.impl.Promise.$anonfun$transformWith$1(Promise.scala:37)\\n scala.concurrent.impl.CallbackRunnable.run(Promise.scala:60)\\n akka.dispatch.BatchingExecutor$AbstractBatch.processBatch(BatchingExecutor.scala:55)\\n akka.dispatch.BatchingExecutor$BlockableBatch.$anonfun$run$1(BatchingExecutor.scala:91)\\n scala.runtime.java8.JFunction0$mcV$sp.apply(JFunction0$mcV$sp.java:12)\\n scala.concurrent.BlockContext$.withBlockContext(BlockContext.scala:81)\\n akka.dispatch.BatchingExecutor$BlockableBatch.run(BatchingExecutor.scala:91)\\n akka.dispatch.TaskInvocation.run(AbstractDispatcher.scala:40)\\n akka.dispatch.ForkJoinExecutorConfigurator$AkkaForkJoinTask.exec(ForkJoinExecutorConfigurator.scala:43)\\n akka.dispatch.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)\\n akka.dispatch.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)\\n akka.dispatch.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)\\n akka.dispatch.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)","message":"Authentication token is invalid: Token can't be decoded: Invalid signature for this token or wrong algorithm."}}

jhalborg on 21 Nov 2018

Thanks for reporting @jhalborg ! Could you please explain, how exactly you deployed to Heroku? Did you use the Prisma Cloud UI to do so or did you manually push the prisma image to Heroku?
The only relevant secret here is the PRISMA_MANAGEMENT_API_SECRET, the service secret can be ignored.

Keep in mind, that this secret needs to be in sync with the env var with the same name PRISMA_MANAGEMENT_API_SECRET in your terminal when executing the prisma cli.

It seems that these 2 are out of sync in your case.

Thanks!

timsuchanek on 22 Nov 2018

Hi @timsuchanek,

I'm experiencing the exact same problem, I've deployed to Heroku from the Prisma Cloud UI, I'd just like to know where do I obtain the PRISMA_MANAGEMENT_API_SECRET 😕 ?

AmoDinho on 22 Nov 2018

@AmoDinho the PRISMA_MANAGEMENT_API_SECRET is set by the Prisma Cloud. In this case, we are responsible for managing the secret, so there's clearly something going wrong on our end.

Could you send me your workspace name? You can also send it in Slack, I'm @tim2 there.

timsuchanek on 22 Nov 2018

@timsuchanek - Thanks for chiming in 😄

As specified in the comments and reproduction repo, I'm deploying manually to Heroku, although I did also have issues using the Prisma Cloud integration as well.

I'm 100% certain that the keys match, I've just triple checked again. Come to think of it, since I can see the server in the Cloud UI, and also choose it during prisma init in my terminal, the management secret must be just fine, right? It also lists as "Healthy", meaning it can reach it and perform health checks:

If you're on Slack, it'd be awesome if you have time to live debug it?

jhalborg on 22 Nov 2018

After a fairly long debugging session with @divyenduz and pantharshit00, we finally found the issue.

TL;DR

Logout of the prisma CLI
Deploy the service, and make sure the env var PRISMA_MANAGEMENT_API_SECRET is set - either as a PATH variable, or by using .env files.

cloudSessionKey: >-
  eyJhbGciOiJIUzINiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiJjamhpd2UxbjE2ZWxjMGE5Mms3b2Y1bmJ6IiwiaWF0IjoxNTQzMzE1NTg1LCJleHAiOjE1NDU5MDc1ODV9.Xccf0C-HCg0EuRH32DNMHqjTFjgI-w8KYcVpXA2tbjs
clusters: {}

Logging out of the CLI removes that key, leaving only clusters: {} in the config, so the CLI instead uses the passed in secret.

In our opinion, this is a bug, and an explicitly passed value should take priority over this implicit value, so I've created a bug report here

Thanks for the help to all that did 😄

jhalborg on 27 Nov 2018

👍3

After a fairly long debugging session with @divyenduz and pantharshit00, we finally found the issue.

This solution did also work for me, however the service even though deployed successfully does not show up in the Prisma Cloud Interface under "services".