Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Basic Authentication not working as intended #310

Open
pedro-cf opened this issue Nov 12, 2024 · 9 comments
Open

Basic Authentication not working as intended #310

pedro-cf opened this issue Nov 12, 2024 · 9 comments

Comments

@pedro-cf
Copy link
Collaborator

Describe the bug
The Basic Authentication implementation in stac-fastapi-elasticsearch is not working as expected. When configuring multiple user credentials through STAC_FASTAPI_ROUTE_DEPENDENCIES, the authentication fails even with valid credentials.

To Reproduce
Steps to reproduce the behavior:

  1. Configure basic auth with multiple users in docker-compose.yml:
- STAC_FASTAPI_ROUTE_DEPENDENCIES=[{"routes":[{"method":"*","path":"*"}],"dependencies":[{"method":"stac_fastapi.core.basic_auth.BasicAuth","kwargs":{"credentials":[{"username":"admin","password":"admin"}]}}]},{"routes":[{"path":"/","method":["GET"]},{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET"]},{"path":"/search","method":["GET","POST"]},{"path":"/collections","method":["GET"]},{"path":"/collections/{collection_id}","method":["GET"]},{"path":"/collections/{collection_id}/items","method":["GET"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}],"dependencies":[{"method":"stac_fastapi.core.basic_auth.BasicAuth","kwargs":{"credentials":[{"username":"reader","password":"reader"}]}}]}]
  1. Start the stac-fastapi-elasticsearch service with basic auth configuration:
docker-compose up -d
  1. Try to access the root endpoint with valid credentials:
curl --request GET \
  --url http://localhost:8080/ \
  --header 'Authorization: Basic YWRtaW46YWRtaW4='
curl --request GET \
  --url http://localhost:8080/ \
  --header 'Authorization: Basic cmVhZGVyOnJlYWRlcg=='
  1. Receive error response:
{"detail":"Incorrect username or password"}

Expected behavior

  • The API should accept valid credentials from any user configured in the route dependencies
  • Both "admin:admin" and "reader:reader" credentials should work for their respective configured routes
  • When a route is configured for multiple users, any of their credentials should work

Environment:

  • OS: Ubuntu 22.04.4 LTS
  • Docker version: Docker version 27.1.1, build 6312585
  • stac-fastapi-elasticsearch version: 3.2.0
  • Python version: 3.10
@pedro-cf
Copy link
Collaborator Author

any chance you could take a look at this @rhysrevans3 ?

@rhysrevans3
Copy link
Contributor

Happy to have a look!

@pedro-cf
Copy link
Collaborator Author

Happy to have a look!

@rhysrevans3
Additional context: It works fine with a single user.

@rhysrevans3
Copy link
Contributor

@pedro-cf I've figure out the cause of the issue. As the dependencies (one for admin and one for reader) are separate they both get run and if either fail then the user is denied access. Because they don't know about each other they will fail on any endpoint where both are active.

One solution is to not use "*" and add both credentials to any endpoints that need them. I'll add a note to the auth readme to explain this.

I think a better solution for this is to handle security dependencies separately to other dependencies and have a main security dependency that can check that at least one has a passed.

@pedro-cf
Copy link
Collaborator Author

One solution is to not use "*" and add both credentials to any endpoints that need them. I'll add a note to the auth readme to explain this.

If possible can you share a working example for this solution? for the standard admin + reader user setup

@rhysrevans3
Copy link
Contributor

rhysrevans3 commented Nov 20, 2024
edited
Loading

Here's an example where only admin has access to the transaction endpoints, both admin and reader have access to the second set of routes, and all unspecified routes are public.

- STAC_FASTAPI_ROUTE_DEPENDENCIES=[{"routes":[{"path":"/collections", "method":["POST"]},{"path":"/collections/{collection_id}", "method":["DELETE", "PUT"]},{"path":"/collections/{collection_id}/items", "method":[ "POST"]}, {"path":"/collections/{collection_id}/items/{item_id}", "method":["DELETE", "PUT"]}], "dependencies":[{"method":"stac_fastapi.core.basic_auth.BasicAuth","kwargs":{"credentials":[{"username":"admin","password":"admin"}]}}]},{"routes":[{"path":"/","method":["GET"]},{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET"]},{"path":"/search","method":["GET","POST"]},{"path":"/collections","method":["GET"]},{"path":"/collections/{collection_id}","method":["GET"]},{"path":"/collections/{collection_id}/items","method":["GET"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}],"dependencies":[{"method":"stac_fastapi.core.basic_auth.BasicAuth","kwargs":{"credentials":[{"username":"reader","password":"reader"}, {"username":"admin","password":"admin"}]}}]}]

Hope that helps.

@pedro-cf
Copy link
Collaborator Author

Here's an example where only admin has access to the transaction endpoints, both admin and reader have access to the second set of routes, and all unspecified routes are public.

- STAC_FASTAPI_ROUTE_DEPENDENCIES=[{"routes":[{"path":"/collections", "method":["POST"]},{"path":"/collections/{collection_id}", "method":["DELETE", "PUT"]},{"path":"/collections/{collection_id}/items", "method":[ "POST"]}, {"path":"/collections/{collection_id}/items/{item_id}", "method":["DELETE", "PUT"]}], "dependencies":[{"method":"stac_fastapi.core.basic_auth.BasicAuth","kwargs":{"credentials":[{"username":"admin","password":"admin"}]}}]},{"routes":[{"path":"/","method":["GET"]},{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET"]},{"path":"/search","method":["GET","POST"]},{"path":"/collections","method":["GET"]},{"path":"/collections/{collection_id}","method":["GET"]},{"path":"/collections/{collection_id}/items","method":["GET"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}],"dependencies":[{"method":"stac_fastapi.core.basic_auth.BasicAuth","kwargs":{"credentials":[{"username":"reader","password":"reader"}, {"username":"admin","password":"admin"}]}}]}]

Hope that helps.

Greetings @rhysrevans3 I was testing this setup.

I noticed you set the credentials for reader twice:

image

but even after removing the second one I am still getting some issues

Reader Request:

curl --request GET \
  --url http://localhost:8084/ \
  --header 'Authorization: Basic cmVhZGVyOnJlYWRlcg=='

Reader Response:
200 OK

{
....
}

Admin Request:

curl --request GET \
  --url http://localhost:8084/ \
  --header 'Authorization: Basic YWRtaW46YWRtaW4='

Admin Response:

{
	"detail": "Incorrect username or password"
}

@pedro-cf
Copy link
Collaborator Author

pedro-cf commented Nov 26, 2024
edited
Loading

Additionally if I add:

{
   "path":"/",
   "method":[
      "GET"
   ]
}

to the admin's routes, then both users cannot access "/" and both get the response:

{
	"detail": "Incorrect username or password"
}

@rhysrevans3
Copy link
Contributor

Hi @pedro-cf sorry I probably wasn't very clear with my example.

The two route dependencies in my example weren't one for admin and one for reader. It was one for admin only:

{"routes":[{"path":"/collections", "method":["POST"]},{"path":"/collections/{collection_id}", "method":["DELETE", "PUT"]},{"path":"/collections/{collection_id}/items", "method":[ "POST"]}, {"path":"/collections/{collection_id}/items/{item_id}", "method":["DELETE", "PUT"]}], "dependencies":[{"method":"stac_fastapi.core.basic_auth.BasicAuth","kwargs":{"credentials":[{"username":"admin","password":"admin"}]}}]}

and one for admin and reader:

{"routes":[{"path":"/","method":["GET"]},{"path":"/conformance","method":["GET"]},{"path":"/collections/{collection_id}/items/{item_id}","method":["GET"]},{"path":"/search","method":["GET","POST"]},{"path":"/collections","method":["GET"]},{"path":"/collections/{collection_id}","method":["GET"]},{"path":"/collections/{collection_id}/items","method":["GET"]},{"path":"/queryables","method":["GET"]},{"path":"/queryables/collections/{collection_id}/queryables","method":["GET"]},{"path":"/_mgmt/ping","method":["GET"]}],"dependencies":[{"method":"stac_fastapi.core.basic_auth.BasicAuth","kwargs":{"credentials":[{"username":"reader","password":"reader"}, {"username":"admin","password":"admin"}]}}]}

That's why there are two sets of credentials in the second route dependency one for reader and one for admin.

So any routes added to the first route dependency will be admin only and any added to the second will be accessible by both admin and reader.

The reason for this is FastAPI runs all of the dependencies for an endpoint and will raise an error if any fail. So you can only have one Auth dependency per endpoint else they will clash.

Hope this clarifies things 😄

@rhysrevans3 rhysrevans3 mentioned this issue Dec 2, 2024
Closed
@rhysrevans3 rhysrevans3 mentioned this issue Jan 7, 2025
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pedro-cf @rhysrevans3