Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

401 Unauthorized when trying to get admin token #21

Open
admarrs opened this issue Oct 8, 2021 · 8 comments
Open

401 Unauthorized when trying to get admin token #21

admarrs opened this issue Oct 8, 2021 · 8 comments
Labels
bug Something isn't working

Comments

@admarrs
Copy link

admarrs commented Oct 8, 2021
edited
Loading

Following the Test drive I get the following when trying to get-token for the admin user

site > bin/site get-token -u admin
site: Unix pass prefix: site/local/
site: Get token from http://localhost:2021/_site/token
site: Server response: 401 Unauthorized

site: Are your credentials valid? request-id is http://localhost:2021/_site/requests/50ba7d0fad679394de1aff2c

Looking at the log output it looks like the username being passed to juxt.pass.alpha.authentication/lookup-user is nil

17:16:43.457 [qtp1821409160-23] DEBUG juxt.site.alpha.handler - Resource provider: :juxt.site.alpha.handler/db
17:16:43.461 [qtp1821409160-23] ERROR juxt.pass.alpha.authentication - #error {
 :cause nil
 :via
 [{:type java.lang.NullPointerException
   :message nil
   :at [java.util.regex.Matcher getTextLength Matcher.java 1770]}]
 :trace
 [[java.util.regex.Matcher getTextLength Matcher.java 1770]
  [java.util.regex.Matcher reset Matcher.java 416]
  [java.util.regex.Matcher <init> Matcher.java 253]
  [java.util.regex.Pattern matcher Pattern.java 1133]
  [clojure.core$re_matcher invokeStatic core.clj 4856]
  [clojure.core$re_matches invokeStatic core.clj 4886]
  [clojure.core$re_matches invoke core.clj 4886]
  [juxt.pass.alpha.authentication$lookup_user invokeStatic authentication.clj 105]
  [juxt.pass.alpha.authentication$lookup_user invoke authentication.clj 101]
  [juxt.pass.alpha.authentication$authenticate invokeStatic authentication.clj 263]
  [juxt.pass.alpha.authentication$authenticate invoke authentication.clj 227]
  [juxt.site.alpha.handler$wrap_authenticate$fn__16783 invoke handler.clj 800]
  [juxt.site.alpha.handler$wrap_negotiate_representation$fn__16778 invoke handler.clj 792]
  [juxt.site.alpha.handler$wrap_find_current_representations$fn__16773 invoke handler.clj 787]
  [juxt.site.alpha.handler$wrap_redirect$fn__16767 invoke handler.clj 773]
  [juxt.site.alpha.handler$wrap_locate_resource$fn__16762 invoke handler.clj 760]
  [juxt.site.alpha.handler$wrap_method_not_implemented_QMARK_$fn__16758 invoke handler.clj 754]
  [juxt.site.alpha.handler$wrap_error_handling$fn__16923 invoke handler.clj 1240]
  [juxt.site.alpha.handler$wrap_security_headers$fn__16828 invoke handler.clj 920]
  [juxt.site.alpha.handler$wrap_cors_headers$fn__16874 invoke handler.clj 1029]
  [juxt.site.alpha.handler$wrap_store_request_in_request_cache$fn__16965 invoke handler.clj 1380]
  [juxt.site.alpha.handler$wrap_store_request$fn__16969 invoke handler.clj 1387]
  [juxt.site.alpha.handler$wrap_log_request$fn__16975 invoke handler.clj 1405]
  [juxt.site.alpha.handler$wrap_service_unavailable_QMARK_$fn__16983 invoke handler.clj 1428]
  [juxt.site.alpha.handler$wrap_initialize_request$fn__16951 invoke handler.clj 1342]
  [juxt.site.alpha.handler$wrap_healthcheck$fn__16979 invoke handler.clj 1412]
  [juxt.site.alpha.handler$wrap_ring_1_adapter$fn__16959 invoke handler.clj 1369]
  [ring.adapter.jetty$proxy_handler$fn__8527 invoke jetty.clj 27]
  [ring.adapter.jetty.proxy$org.eclipse.jetty.server.handler.AbstractHandler$ff19274a handle nil -1]
  [org.eclipse.jetty.server.handler.HandlerWrapper handle HandlerWrapper.java 127]
  [org.eclipse.jetty.server.Server handle Server.java 516]
  [org.eclipse.jetty.server.HttpChannel lambda$handle$1 HttpChannel.java 388]
  [org.eclipse.jetty.server.HttpChannel dispatch HttpChannel.java 633]
  [org.eclipse.jetty.server.HttpChannel handle HttpChannel.java 380]
  [org.eclipse.jetty.server.HttpConnection onFillable HttpConnection.java 273]
  [org.eclipse.jetty.io.AbstractConnection$ReadCallback succeeded AbstractConnection.java 311]
  [org.eclipse.jetty.io.FillInterest fillable FillInterest.java 105]
  [org.eclipse.jetty.io.ChannelEndPoint$1 run ChannelEndPoint.java 104]
  [org.eclipse.jetty.util.thread.QueuedThreadPool runJob QueuedThreadPool.java 773]
  [org.eclipse.jetty.util.thread.QueuedThreadPool$Runner run QueuedThreadPool.java 905]
  [java.lang.Thread run Thread.java 834]]}
17:16:43.461 [qtp1821409160-23] DEBUG crux.query - :query {:find [rule], :where [[rule :juxt.site.alpha/type "Rule"]], :in []}
@admarrs
Copy link
Author

admarrs commented Oct 9, 2021

After further investigation, the regex used to extract the username & password from the decoded token doesn't like symbols in the password.

So I'd suggest an update to the Test drive to add the -n flag to pass generate to exclude symbols from the password:

pass generate -n site/local/admin

With that change the Test drive worked as described.

@admarrs admarrs closed this as completed Oct 9, 2021
@malcolmsparks
Copy link
Contributor

Thanks for this - I've made the change you suggested to the documentation.

@malcolmsparks
Copy link
Contributor

I'm still puzzled as to why this occurred. If you have a moment, could you paste me a bit more detail, or a password that causes the issue?

@admarrs
Copy link
Author

admarrs commented Oct 10, 2021
edited
Loading

The generated password that caused the problem was <d"DWP+"g/egZyR:`rYQ#QiXv

From the repl

site > clj
Clojure 1.10.1
user=> (re-matches #"([^:]*):([^:]*)" 'admin:<d"DWP+"g/egZyR:`rYQ#QiXv')
Syntax error reading source at (REPL:2:55).
Invalid token: g/egZyR:
user/rYQ#QiXv'
Syntax error reading source at (REPL:2:66).
Unmatched delimiter: )
user=>

@malcolmsparks
Copy link
Contributor

malcolmsparks commented Oct 10, 2021
edited
Loading

Thanks very much for sending this in, it's really helpful and I was able to spot the bug straight-away. The regex is wrong, it should almost certainly be ([^:]*):(.*) to allow passwords to have colons. If you don't mind, I'll re-open this issue in lieu of fixing this (and testing).

Note, when fixing this bug, remove the -n flag to the pass generate flag, as it won't be necessary.

@malcolmsparks malcolmsparks reopened this Oct 10, 2021
@armincerf armincerf added the bug Something isn't working label Oct 13, 2021
@burakakca
Copy link

Hi , i done all steps but i get this error;
Not Found Error
Unauthorized Error

@armincerf
Copy link
Member

Hi , i done all steps but i get this error;

Not Found Error

Unauthorized Error

Hi, we're currently rewriting all the authn/authz parts of site so this is problem won't exist in a few weeks when that gets merged but for now you can do one of the following things to solve this:

  • Put a rule into site that allows access to any resource (this effectively removes all auth so don't do this if you have anything to hide!) The rule looks like this(sorry for formatting, on my phone)
    {:xt/id "{{base-uri}}/_site/rules/make-public",
    :juxt.site.alpha/description "for testing"
    :juxt.site.alpha/type "Rule"
    :juxt.pass.alpha/effect :juxt.pass.alpha/allow
    :juxt.pass.alpha/target
    []}
  • install the login page module, or make something that follows the same pattern. See opt/login-page readme for the details on that. Once you install it you should get redirected to the login page where you enter the credentials you set up when installing site.

Hopefully that helps

@burakakca
Copy link

I tried but does not change . Also can't find the opt/login-page.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@malcolmsparks @admarrs @armincerf @burakakca