LBRYCommunity/lbry-desktop

Fork 0

feat: authenticate app with daemon #1298

New issue

Open

opened 2018-04-06 17:23:17 +02:00 by IGassmann · 10 comments

IGassmann commented

2018-04-06 17:23:17 +02:00

(Migrated from github.com)

Authentification available with daemon v0.20.0rc6.

tzarebczan commented

2018-05-04 15:02:58 +02:00

(Migrated from github.com)

Currently getting:

{
  "error": {
    "code": -32500,
    "data": [],
    "message": "InvalidHeaderError"
  },
  "id": null,
  "jsonrpc": "2.0"
}


Request URL:http://localhost:5279/
Request Method:POST
Status Code:200 OK
Remote Address:127.0.0.1:5279
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Accept:application/json-rpc
Content-Length:127
Content-Type:application/json
Date:Fri, 04 May 2018 12:57:15 GMT
Server:TwistedWeb/16.6.0
Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate
Accept-Language:en-US
Connection:keep-alive
Content-Length:66
content-type:text/plain;charset=UTF-8
Host:localhost:5279
Origin:http://localhost:9080
Referer:http://localhost:9080/
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) LBRY/1.8.4 Chrome/59.0.3071.115 Electron/1.8.4 Safari/537.36
X-DevTools-Request-Id:143216.26
Request Payload
view source
{jsonrpc: "2.0", method: "status", params: {}, id: 1525438635185}
id
:
1525438635185
jsonrpc
:
"2.0"
method
:
"status"
params
:
{}

daemon shows:
2018-05-04 09:00:10,338 WARNING lbrynet.daemon.auth.server:382: Attempted api call from invalid Origin: http://localhost:9080

Currently getting: ``` { "error": { "code": -32500, "data": [], "message": "InvalidHeaderError" }, "id": null, "jsonrpc": "2.0" } ``` ``` Request URL:http://localhost:5279/ Request Method:POST Status Code:200 OK Remote Address:127.0.0.1:5279 Referrer Policy:no-referrer-when-downgrade Response Headers view source Accept:application/json-rpc Content-Length:127 Content-Type:application/json Date:Fri, 04 May 2018 12:57:15 GMT Server:TwistedWeb/16.6.0 Request Headers view source Accept:*/* Accept-Encoding:gzip, deflate Accept-Language:en-US Connection:keep-alive Content-Length:66 content-type:text/plain;charset=UTF-8 Host:localhost:5279 Origin:http://localhost:9080 Referer:http://localhost:9080/ User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) LBRY/1.8.4 Chrome/59.0.3071.115 Electron/1.8.4 Safari/537.36 X-DevTools-Request-Id:143216.26 Request Payload view source {jsonrpc: "2.0", method: "status", params: {}, id: 1525438635185} id : 1525438635185 jsonrpc : "2.0" method : "status" params : {} ``` daemon shows: 2018-05-04 09:00:10,338 WARNING lbrynet.daemon.auth.server:382: Attempted api call from invalid Origin: http://localhost:9080

kauffj commented

2018-05-04 15:17:17 +02:00

(Migrated from github.com)

@tzarebczan I got this yesterday as well. My daemon did not have an allowed_origin setting at all. It worked if allowed_origin was *.

The relevant daemon side check is here https://github.com/lbryio/lbry/blob/master/lbrynet/daemon/auth/server.py#L398

We need to figure out if the daemon just needs to provide a default setting or if the app needs to change this setting at install time.

@tzarebczan I got this yesterday as well. My daemon did not have an `allowed_origin` setting at all. It worked if `allowed_origin` was `*`. The relevant daemon side check is here https://github.com/lbryio/lbry/blob/master/lbrynet/daemon/auth/server.py#L398 We need to figure out if the daemon just needs to provide a default setting or if the app needs to change this setting at install time.

tzarebczan commented

2018-05-07 18:16:15 +02:00

(Migrated from github.com)

@kauffj spoke to @IGassmann last week and he said it should be done from the app side. @IGassmann, is setting allowed_origin to * the correct way to implement this?

This also happens in non-dev mode as well.

@kauffj spoke to @IGassmann last week and he said it should be done from the app side. @IGassmann, is setting allowed_origin to * the correct way to implement this? This also happens in non-dev mode as well.

😕 1

tzarebczan commented

2018-05-08 17:22:00 +02:00

(Migrated from github.com)

These are the changes Jack made which should help us understand how the app should authenticate - it would need to create a handshake with the daemon: 743ae59d54 (diff-2571ced04af2d940be952f29361a40a0R160)

Notes:


To start an authenticated session a client sends an HTTP POST to <user>:<password>@<api host>:<api port>.

 If accepted, the server replies with a TWISTED_SESSION cookie containing a session id and the message "OK".
The client initializes their shared secret for hmac to be the b64 encoded sha256 of their session id.

To send an authenticated request a client sends an HTTP POST to the auth api url with the TWISTED_SESSION cookie and includes a hmac token in the message using the previously set shared secret. If the token is valid the server will randomize the shared secret and return the new value under the LBRY_SECRET header, which the client uses to generate the token for their next request.

These are the changes Jack made which should help us understand how the app should authenticate - it would need to create a handshake with the daemon: https://github.com/lbryio/lbry/commit/743ae59d545bdb80ce4536feda866facde0947d7#diff-2571ced04af2d940be952f29361a40a0R160 Notes: ``` If use_authentication is true, basic HTTP and HMAC authentication will be used for all requests and the authorized_functions (list): list of api methods that require authentication service url will require a username and password. To start an authenticated session a client sends an HTTP POST to <user>:<password>@<api host>:<api port>. If accepted, the server replies with a TWISTED_SESSION cookie containing a session id and the message "OK". The client initializes their shared secret for hmac to be the b64 encoded sha256 of their session id. To send an authenticated request a client sends an HTTP POST to the auth api url with the TWISTED_SESSION cookie and includes a hmac token in the message using the previously set shared secret. If the token is valid the server will randomize the shared secret and return the new value under the LBRY_SECRET header, which the client uses to generate the token for their next request. ```

kauffj commented

2018-05-09 00:34:45 +02:00

(Migrated from github.com)

@tzarebczan please get issues created app side.

More importantly, the sprint and release process needs to better handle this and this should be discussed in an upcoming retrospective (@jackrobison @lyoshenka @eukreign). If a daemon upgrade requires all apps using it to change their behavior in how they call it, this ought to be extremely prominently mentioned in release notes, and we ought to be identifying these issues and creating tickets appropriately (or at least letting key team members know).

@tzarebczan please get issues created app side. More importantly, the sprint and release process needs to better handle this and this should be discussed in an upcoming retrospective (@jackrobison @lyoshenka @eukreign). If a daemon upgrade requires all apps using it to change their behavior in how they call it, this ought to be extremely prominently mentioned in release notes, and we ought to be identifying these issues and creating tickets appropriately (or at least letting key team members know).

tzarebczan commented

2018-05-09 19:16:32 +02:00

(Migrated from github.com)

The confusion lies in some other changes that went along with this which is causing the app/daemon communication problem - I'm trying to debug the source of the issue and will work with Jack to fix it.

@kauffj agreed but I think there is some confusion. This was the issue created as a result of communication between Jack and Igor - which was to enable the app to use http authentication (not currently doing so). It's not a mandatory setting, so all previous apps should work correctly without it. The confusion lies in some other changes that went along with this which is causing the app/daemon communication problem - I'm trying to debug the source of the issue and will work with Jack to fix it.

tzarebczan commented

2018-05-11 16:59:14 +02:00

(Migrated from github.com)

Findings:

dev mode:
2018-05-09 14:44:46,332 INFO     lbrynet.daemon.auth.server:380: header: Origin:
2018-05-09 14:44:46,332 INFO     lbrynet.daemon.auth.server:388: source: http://localhost:9080:
2018-05-09 14:44:46,332 INFO     lbrynet.daemon.auth.server:402: server/port: localhost:9080
2018-05-09 14:44:46,332 WARNING  lbrynet.daemon.auth.server:383: Attempted api call from invalid Origin: http://localhost:9080

non dev:
2018-05-09 13:55:46,967 INFO     lbrynet.daemon.auth.server:380: header: Origin:
2018-05-09 13:55:46,967 INFO     lbrynet.daemon.auth.server:388: source: null:
2018-05-09 13:55:46,967 INFO     lbrynet.daemon.auth.server:402: server/port: :80
2018-05-09 13:55:46,967 WARNING  lbrynet.daemon.auth.server:383: Attempted api call from invalid Origin: null
2018-05-09 13:55:46,969 WARNING  lbrynet.daemon.auth.server:211: error processing api request: InvalidHeaderError

Postman jsonrpc:

2018-05-11 09:58:01,785 INFO     lbrynet.daemon.auth.server:380: header: Origin:
2018-05-11 09:58:05,637 INFO     lbrynet.daemon.auth.server:388: source: None:
2018-05-11 09:58:05,638 INFO     lbrynet.daemon.auth.server:380: header: Referer:
2018-05-11 09:58:05,638 INFO     lbrynet.daemon.auth.server:388: source: None:

Not sure if it's the app doing something wrong, or if lbry side needs to be fixed.

Findings: ``` dev mode: 2018-05-09 14:44:46,332 INFO lbrynet.daemon.auth.server:380: header: Origin: 2018-05-09 14:44:46,332 INFO lbrynet.daemon.auth.server:388: source: http://localhost:9080: 2018-05-09 14:44:46,332 INFO lbrynet.daemon.auth.server:402: server/port: localhost:9080 2018-05-09 14:44:46,332 WARNING lbrynet.daemon.auth.server:383: Attempted api call from invalid Origin: http://localhost:9080 ``` ``` non dev: 2018-05-09 13:55:46,967 INFO lbrynet.daemon.auth.server:380: header: Origin: 2018-05-09 13:55:46,967 INFO lbrynet.daemon.auth.server:388: source: null: 2018-05-09 13:55:46,967 INFO lbrynet.daemon.auth.server:402: server/port: :80 2018-05-09 13:55:46,967 WARNING lbrynet.daemon.auth.server:383: Attempted api call from invalid Origin: null 2018-05-09 13:55:46,969 WARNING lbrynet.daemon.auth.server:211: error processing api request: InvalidHeaderError ``` Postman jsonrpc: ``` 2018-05-11 09:58:01,785 INFO lbrynet.daemon.auth.server:380: header: Origin: 2018-05-11 09:58:05,637 INFO lbrynet.daemon.auth.server:388: source: None: 2018-05-11 09:58:05,638 INFO lbrynet.daemon.auth.server:380: header: Referer: 2018-05-11 09:58:05,638 INFO lbrynet.daemon.auth.server:388: source: None: ``` Not sure if it's the app doing something wrong, or if lbry side needs to be fixed.

tzarebczan commented

2018-05-18 17:14:36 +02:00

(Migrated from github.com)

@jackrobison / @lyoshenka will be looking into this from the daemon side to ensure it's implemented properly.

tzarebczan commented

2018-06-10 21:55:05 +02:00

(Migrated from github.com)

This check was removed from the daemon for now.

alyssaoc commented

2018-10-15 21:59:49 +02:00

(Migrated from github.com)

@tzarebczan and @jackrobison What is the status of this?