Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad Request when sending authenticated request with mashlib recipe #1

Open
angelo-v opened this issue Jul 30, 2021 · 8 comments
Open

Bad Request when sending authenticated request with mashlib recipe #1

angelo-v opened this issue Jul 30, 2021 · 8 comments
Assignees
@RubenVerborgh

Comments

@angelo-v
Copy link

Hi, when starting the default mashlib recipe it works fine and looks very promising, nice work so far, thanks a lot.

I am facing an issue when I change the root .acl from public access, to only give access to my WebID:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#authorization>
    a               acl:Authorization;
    acl:agent  <https://angelo.veltens.org/profile/card#me>;
    acl:mode        acl:Read;
    acl:mode        acl:Write;
    acl:mode        acl:Append;
    acl:mode        acl:Delete;
    acl:mode        acl:Control;
    acl:accessTo    <./>;
    acl:default     <./>.

I can log in via mashlib, but I am getting 400 responses for any resource then.

The server log says:

2021-07-30T07:23:13.527Z [BaseHttpServerFactory] info: Received GET request for /
2021-07-30T07:23:13.531Z [WebAclAuthorizer] info: Reading ACL statements from http://localhost:3000/.acl
2021-07-30T07:23:13.533Z [WebAclAuthorizer] warn: Unauthenticated agent has no read permissions
2021-07-30T07:23:13.623Z [BaseHttpServerFactory] info: Received GET request for /mash.css
2021-07-30T07:23:13.625Z [BaseHttpServerFactory] info: Received GET request for /mashlib.min.js
2021-07-30T07:23:13.721Z [BaseHttpServerFactory] info: Received GET request for /mash.css.map
2021-07-30T07:23:13.726Z [WebAclAuthorizer] info: Reading ACL statements from http://localhost:3000/.acl
2021-07-30T07:23:13.728Z [WebAclAuthorizer] warn: Unauthenticated agent has no read permissions
2021-07-30T07:23:13.814Z [BaseHttpServerFactory] info: Received GET request for /mashlib.min.js.map
2021-07-30T07:23:13.817Z [WebAclAuthorizer] info: Reading ACL statements from http://localhost:3000/.acl
2021-07-30T07:23:13.818Z [WebAclAuthorizer] warn: Unauthenticated agent has no read permissions
2021-07-30T07:23:13.884Z [BaseHttpServerFactory] info: Received GET request for /
2021-07-30T07:23:13.885Z [BearerWebIdExtractor] warn: Error verifying WebID via Bearer access token: Expected object property webid, got:
[object Object]
2021-07-30T07:23:13.885Z [BaseHttpServerFactory] info: Received GET request for /profile/card
2021-07-30T07:23:13.886Z [BearerWebIdExtractor] warn: Error verifying WebID via Bearer access token: Expected object property webid, got:
[object Object]
2021-07-30T07:23:14.210Z [BaseHttpServerFactory] info: Received GET request for /favicon.ico
2021-07-30T07:23:17.653Z [BaseHttpServerFactory] info: Received GET request for /common/css/bootstrap.min.css
2021-07-30T07:23:17.659Z [WebAclAuthorizer] info: Reading ACL statements from http://localhost:3000/.acl
2021-07-30T07:23:17.660Z [WebAclAuthorizer] warn: Unauthenticated agent has no read permissions

I checked the request that gets a 400 response and it contains an authorization: Bearer ... header.

The WebID I am using is hosted on NSS 5.6.7.

I wonder if there is an incompatibility between the NSS auth and the CSS auth or the auth library that mashlib uses (solid-auth-client).

Anything I can do here?
@RubenVerborgh RubenVerborgh self-assigned this Jul 30, 2021
@RubenVerborgh
Copy link
Member

Thanks @angelo-v. This behavior is by design.

Mashlib is using an older version of the OIDC interaction flow, which we no longer consider secure. We have investigated this (CommunitySolidServer/CommunitySolidServer#850, CommunitySolidServer/CommunitySolidServer#851) and determined that the issue lies with Mashlib. Changing behavior on the CSS side would be undesired for security reasons.

There is a plan in the work for fixing Mashlib; once this is complete, the Mashlib recipe will also work for private resources. Currently, you can only access public resources.

@angelo-v
Copy link
Author

Thanks Ruben, I see and totally understand that.

To clarify those things I propose to add a hint about that in the readme, so that it is clear to everybody trying the recipe

@joachimvh joachimvh mentioned this issue Aug 30, 2021
Closed
@jeff-zucker
Copy link

jeff-zucker commented Oct 9, 2021
edited
Loading

I have tested with the new mashlib that uses the new auth both as a frontend and from a remote browse.html. In both cases, as long as my config has util/identifiers/suffix.json I CAN login and read private resources. When I change the setting to util/identifiers/subdomain.json (and recreate my data folder and recreate new accounts), I get the 400 error when I login and then attempt to read one of the resources (e.g. the README).

The server message is this :

2021-10-09T21:18:41.979Z [BaseHttpServerFactory] info: Received GET request for /profile/card
2021-10-09T21:18:41.981Z [DPoPWebIdExtractor] warn: Error verifying WebID via DPoP-bound access token: The URI claim could not be verified as secure.
Actual: http://jeff.localhost:3000/profile/card#me
Expected: The webid claim to be an HTTPS URI or a localhost with port number HTTP URI

Again, I can use mashlib fine when using suffix style but get this error when using subdomain style.

@jeff-zucker jeff-zucker reopened this Oct 9, 2021
@RubenVerborgh
Copy link
Member

@joachimvh, should we turn this into a CSS issue?

But perhaps it's worth upgrading the recipes first to the upcoming v2 and see if the issue still persists.

@joachimvh
Copy link
Member

I don't think this is something that we can (should?) solve. localhost is not supposed to have subdomains. The one thing we could perhaps do is error if the server is started with the subdomain setting and the host is localhost?

@jeff-zucker
Copy link

localhost is not supposed to have subdomains

According to what standard?

If this is true, then please put something in the README that warns people it won't work.

@joachimvh
Copy link
Member

According to what standard?

I had a look and could indeed not find this so I might be wrong there.

In that case it's a question of how the DPoP library these URLs. AFAIK the spec always requires HTTPS, but an exception was made in the library for localhost URLs. It might make sense indeed to also add an exception for subdomains of localhost since those will also be internal anyway. Pinging @matthieubosquet since he handles that library.

@RubenVerborgh
Copy link
Member

Chiming in here to say that the localhost exceptions might be dangerous.

Rather, we might want to check that the IP address resolved from the host is 127.0.0.1 or so.
Cfr. what I wrote here: nodeSolidServer/node-solid-server@a3fdde2#diff-f9a0dd7e5b5b29284b4570ed359ed9724ddaa0101f50cde2463fbad6b89b81d5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@RubenVerborgh RubenVerborgh

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@angelo-v @RubenVerborgh @joachimvh @jeff-zucker