Strongbox: Should not return www-authenticate request method is OPTIONS

Created on 20 Apr 2019  路  7Comments  路  Source: strongbox/strongbox

Task Description

This used to work, but for some reason it's broken now (not sure if it's a newer Chrome version or we just broke it somehow).
In general, when a browser is trying to access an api endpoint, it would first send an OPTIONS request to check the CORS settings of the server and then send the actual request. The first request will not contain the X-Requested-With header (#457) so that's what's causing the native HttpBasic browser popup to appear.

Steps to reproduce:

  1. Set a small session timeout (i.e. 2-3 seconds)
  2. Login
  3. Wait a few seconds
  4. Refresh page
# curl -I 'http://localhost:48080/api/ping/token' -H 'Accept: application/json, text/plain, */*' -H 'Referer: http://localhost:48080/' -H 'DNT: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.92 Safari/537.36' -H 'Authorization: Bearer INSERT_A_REAL_TOKEN' -X OPTIONS --compressed

HTTP/2 401 
server: nginx
date: Tue, 18 Sep 2018 21:29:14 GMT
content-type: application/json
www-authenticate: Basic realm="Strongbox Repository Manager"
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: DENY

Acceptance Test

  • [ ] Building the code with mvn clean install -Dintegration.tests still works.
  • [ ] Running mvn spring-boot:run in the strongbox-web-core still starts up the application correctly.
  • [ ] Building the code and running the strongbox-distribution from a zip or tar.gz still works.
  • [ ] The tests in the strongbox-web-integration-tests still run properly.

Task Relationships

This task relates to #457.

Help

  • Our chat
  • Points of contact:

    • @steve-todorov

    • @sbespalov

    • @fuss86

good first issue help wanted

All 7 comments

I'll be taking a look at this issue

Okay! Good luck! :)

I've been able to reproduce the error and found out that the tokens of the authentication is inside the BasicAuthorizationSupplier class, but I'm having troubles understanding the desired solution, could you explain to me what is the expected result?

@steve-todorov , @fuss86 , @ptirador : Any thoughts?

I just sent a PR with the Solution to the issue #1265

any comments you have about it are very welcomed.

Hey since most of the questions I asked and reports of my progress were done through the strongbox community chat. I think it would better for the community that the findings on this issue are shown in public.

The issue occurred inside the Http401AuthenticationEntryPoint.java class. Since the updates on some browsers, pre-flight OPTIONS calls are sent for all GET/POST requests unless they are classified as simple requests when sending a CORS request.

This pre-flight OPTIONS request doesn't contain the "X-Requested-With" header and because of this what happened is that the response always returned with the "www-authenticate" header which prompted the authentication pop-up.

In the PR #1265 I added this validation inside the Http401AuthenticationEntryPoint :

!request.getMethod().equalsIgnoreCase(IS_REQUEST_OPTIONS)

With this, we make sure that the "www-authenticate" response isn't triggered every time the API receives the pre-flight OPTIONS call fixing the issue of the unwanted pop-up authentication.

Here are some blog post for reference about pre-flight requests:
link 1
link 2

Thanks for following up with an explanation! :)

Was this page helpful?
0 / 5 - 0 ratings