'Unable to authenticate (okta) a post request to a route from within a route getting a 401 Unauthorized response. GET Request works
I have a nodejs app utilising express using @okta/okta-sdk-nodejs and @okta/oidc-middleware to handle authentication.
I have a number of routes that work fine and are authorised as expected. The following flow generates a 401 status code and I am struggling to work out why.
If I hit the route http://localhost:3000/b/f-e-info i get a response from an external API, this works, I then want to send this to another route /es/ingest/b/ts to get ingested I do this via a function callEs('/es/ingest/b/ts',t.symbols) that uses axios this basically accepts a URL and the response data as parameters and posts the data to the es route router.post('/ingest/b/ts', esParsersController.createTsDocs);. The route utilise the createTsDocs function as a call back which just takes care of ingesting the data into a database.
The error in the nodejs console:
POST /es/ingest/b/t 401 0.520 ms - 12
Error: Request failed with status code 401
at createError (login-portal/node_modules/axios/lib/core/createError.js:16:15)
at settle (login-portal/node_modules/axios/lib/core/settle.js:17:12)
at IncomingMessage.handleStreamEnd (login-portal/node_modules/axios/lib/adapters/http.js:260:11)
at IncomingMessage.emit (events.js:326:22)
at endReadableNT (_stream_readable.js:1252:12)
at processTicksAndRejections (internal/process/task_queues.js:80:21) {
config: {
url: '/es/ingest/b/ts',
method: 'post',
data: '{"data":[{..},{...},{...}]}',
headers: {
Accept: 'application/json, text/plain, */*',
'Content-Type': 'application/json;charset=utf-8',
'User-Agent': 'axios/0.21.1',
'Content-Length': 113195
},
baseURL: 'http://localhost:3000',
transformRequest: [ [Function: transformRequest] ],
transformResponse: [ [Function: transformResponse] ],
timeout: 3000,
adapter: [Function: httpAdapter],
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN',
maxContentLength: -1,
maxBodyLength: -1,
validateStatus: [Function: validateStatus]
},
request: <ref *1> ClientRequest {
_events: [Object: null prototype] {
socket: [Function (anonymous)],
abort: [Function (anonymous)],
aborted: [Function (anonymous)],
connect: [Function (anonymous)],
error: [Function (anonymous)],
timeout: [Function (anonymous)],
prefinish: [Function: requestOnPrefinish]
},
_eventsCount: 7,
_maxListeners: undefined,
outputData: [],
outputSize: 0,
writable: true,
destroyed: false,
_last: true,
chunkedEncoding: false,
shouldKeepAlive: false,
_defaultKeepAlive: true,
useChunkedEncodingByDefault: true,
sendDate: false,
_removedConnection: false,
_removedContLen: false,
_removedTE: false,
_contentLength: null,
_hasBody: true,
_trailer: '',
finished: true,
_headerSent: true,
socket: Socket {
connecting: false,
_hadError: false,
_parent: null,
_host: 'localhost',
_readableState: [ReadableState],
_events: [Object: null prototype],
_eventsCount: 7,
_maxListeners: undefined,
_writableState: [WritableState],
allowHalfOpen: false,
_sockname: null,
_pendingData: null,
_pendingEncoding: '',
server: null,
_server: null,
parser: null,
_httpMessage: [Circular *1],
[Symbol(async_id_symbol)]: 744,
[Symbol(kHandle)]: [TCP],
[Symbol(kSetNoDelay)]: false,
[Symbol(lastWriteQueueSize)]: 0,
[Symbol(timeout)]: null,
[Symbol(kBuffer)]: null,
[Symbol(kBufferCb)]: null,
[Symbol(kBufferGen)]: null,
[Symbol(kCapture)]: false,
[Symbol(kBytesRead)]: 0,
[Symbol(kBytesWritten)]: 0,
[Symbol(RequestTimeout)]: undefined
},
_header: 'POST /es/ingest/b/ts HTTP/1.1\r\n' +
'Accept: application/json, text/plain, */*\r\n' +
'Content-Type: application/json;charset=utf-8\r\n' +
'User-Agent: axios/0.21.1\r\n' +
'Content-Length: 113195\r\n' +
'Host: localhost:3000\r\n' +
'Connection: close\r\n' +
'\r\n',
_keepAliveTimeout: 0,
_onPendingData: [Function: noopPendingOutput],
agent: Agent {
_events: [Object: null prototype],
_eventsCount: 2,
_maxListeners: undefined,
defaultPort: 80,
protocol: 'http:',
options: [Object],
requests: {},
sockets: [Object],
freeSockets: {},
keepAliveMsecs: 1000,
keepAlive: false,
maxSockets: Infinity,
maxFreeSockets: 256,
scheduling: 'fifo',
maxTotalSockets: Infinity,
totalSocketCount: 1,
[Symbol(kCapture)]: false
},
socketPath: undefined,
method: 'POST',
maxHeaderSize: undefined,
insecureHTTPParser: undefined,
path: '/es/ingest/b/ts',
_ended: true,
res: IncomingMessage {
_readableState: [ReadableState],
_events: [Object: null prototype],
_eventsCount: 3,
_maxListeners: undefined,
socket: [Socket],
httpVersionMajor: 1,
httpVersionMinor: 1,
httpVersion: '1.1',
complete: true,
headers: [Object],
rawHeaders: [Array],
trailers: {},
rawTrailers: [],
aborted: false,
upgrade: false,
url: '',
method: null,
statusCode: 401,
statusMessage: 'Unauthorized',
client: [Socket],
_consuming: true,
_dumped: false,
req: [Circular *1],
responseUrl: 'http://localhost:3000/es/ingest/b/ts',
redirects: [],
[Symbol(kCapture)]: false,
[Symbol(RequestTimeout)]: undefined
},
aborted: false,
timeoutCb: null,
upgradeOrConnect: false,
parser: null,
maxHeadersCount: null,
reusedSocket: false,
host: 'localhost',
protocol: 'http:',
_redirectable: Writable {
_writableState: [WritableState],
_events: [Object: null prototype],
_eventsCount: 2,
_maxListeners: undefined,
_options: [Object],
_ended: true,
_ending: true,
_redirectCount: 0,
_redirects: [],
_requestBodyLength: 113195,
_requestBodyBuffers: [],
_onNativeResponse: [Function (anonymous)],
_currentRequest: [Circular *1],
_currentUrl: 'http://localhost:3000/es/ingest/b/ts',
_timeout: Timeout {
_idleTimeout: -1,
_idlePrev: null,
_idleNext: null,
_idleStart: 2235827,
_onTimeout: null,
_timerArgs: undefined,
_repeat: null,
_destroyed: true,
[Symbol(refed)]: true,
[Symbol(kHasPrimitive)]: false,
[Symbol(asyncId)]: 750,
[Symbol(triggerId)]: 746
},
[Symbol(kCapture)]: false
},
[Symbol(kCapture)]: false,
[Symbol(kNeedDrain)]: false,
[Symbol(corked)]: 0,
[Symbol(kOutHeaders)]: [Object: null prototype] {
accept: [Array],
'content-type': [Array],
'user-agent': [Array],
'content-length': [Array],
host: [Array]
}
},
response: {
status: 401,
statusText: 'Unauthorized',
headers: {
'x-powered-by': 'Express',
'content-type': 'text/plain; charset=utf-8',
'content-length': '12',
etag: 'W/"c-dAuDFQrdjS3hezqxDTNgW7AOlYk"',
'set-cookie': [Array],
date: 'Wed, 17 Mar 2021 09:32:20 GMT',
connection: 'close'
},
config: {
url: '/es/ingest/b/t',
method: 'post',
data: '{"data":[{...},{...},{...}]}',
headers: [Object],
baseURL: 'http://localhost:3000',
transformRequest: [Array],
transformResponse: [Array],
timeout: 3000,
adapter: [Function: httpAdapter],
xsrfCookieName: 'XSRF-TOKEN',
xsrfHeaderName: 'X-XSRF-TOKEN',
maxContentLength: -1,
maxBodyLength: -1,
validateStatus: [Function: validateStatus]
},
request: <ref *1> ClientRequest {
_events: [Object: null prototype],
_eventsCount: 7,
_maxListeners: undefined,
outputData: [],
outputSize: 0,
writable: true,
destroyed: false,
_last: true,
chunkedEncoding: false,
shouldKeepAlive: false,
_defaultKeepAlive: true,
useChunkedEncodingByDefault: true,
sendDate: false,
_removedConnection: false,
_removedContLen: false,
_removedTE: false,
_contentLength: null,
_hasBody: true,
_trailer: '',
finished: true,
_headerSent: true,
socket: [Socket],
_header: 'POST /es/ingest/b/ts HTTP/1.1\r\n' +
'Accept: application/json, text/plain, */*\r\n' +
'Content-Type: application/json;charset=utf-8\r\n' +
'User-Agent: axios/0.21.1\r\n' +
'Content-Length: 113195\r\n' +
'Host: localhost:3000\r\n' +
'Connection: close\r\n' +
'\r\n',
_keepAliveTimeout: 0,
_onPendingData: [Function: noopPendingOutput],
agent: [Agent],
socketPath: undefined,
method: 'POST',
maxHeaderSize: undefined,
insecureHTTPParser: undefined,
path: '/es/ingest/b/ts',
_ended: true,
res: [IncomingMessage],
aborted: false,
timeoutCb: null,
upgradeOrConnect: false,
parser: null,
maxHeadersCount: null,
reusedSocket: false,
host: 'localhost',
protocol: 'http:',
_redirectable: [Writable],
[Symbol(kCapture)]: false,
[Symbol(kNeedDrain)]: false,
[Symbol(corked)]: 0,
[Symbol(kOutHeaders)]: [Object: null prototype]
},
data: 'Unauthorized'
},
isAxiosError: true,
toJSON: [Function: toJSON]
}
If I just hit a GET Route in the es file It is authenticated as expected.
app.js
var createError = require('http-errors');
var express = require('express');
var path = require('path');
var session = require('express-session');
var okta = require("@okta/okta-sdk-nodejs");
const { ExpressOIDC } = require('@okta/oidc-middleware');
const keys = require('./config/keys');
var bodyParser = require('body-parser')
var app = express();
app.use( bodyParser.json({limit: "15360mb", type:'application/json'}) );
app.use(bodyParser.urlencoded({limit: '100mb', extended: true}));
// Enabled the routes
const dashboardRouter = require("./routes/dashboard");
const usersRouter = require("./routes/users");
const bRouter = require("./routes/b");
const esRouter = require("./routes/es");
var oktaClient = new okta.Client({
orgUrl: keys.okta_orgUrl,
token: keys.okta_token
});
const oidc = new ExpressOIDC({
issuer: keys.okta_issuer,
client_id: keys.okta_client_id,
client_secret: keys.okta_client_secret,
appBaseUrl: keys.okta_appBaseUrl,
scope: keys.okta_scope,
routes: {
login: {
path: keys.okta_routes_login_path
},
loginCallback: {
path: keys.okta_routes_loginCallback_path,
afterCallback: keys.okta_routes_loginCallback_afterCallback
}
}
});
// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');
app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public')));
app.use(session({
secret:keys.app_session_secret,
resave: true,
saveUnititialized: false
}));
app.use(oidc.router);
app.use((req, res, next) => {
if (!req.userContext) {
return next();
}
oktaClient.getUser(req.userContext.userinfo.sub)
.then(user => {
req.user = user;
res.locals.user = user;
next();
}).catch(err => {
next(err);
});
});
// redirect our users to the correct route
app.use('/', publicRouter);
app.use('/dashboard', oidc.ensureAuthenticated(), dashboardRouter);
app.use('/users', oidc.ensureAuthenticated(), usersRouter);
app.use('/b', oidc.ensureAuthenticated(), bRouter)
app.use('/es', oidc.ensureAuthenticated(), esRouter)
// error handler
app.use(function(err, req, res, next) {
// set locals, only providing error in development
res.locals.message = err.message;
res.locals.error = req.app.get('env') === 'development' ? err : {};
// render the error page
res.status(err.status || 500);
res.render('error');
});
oidc.on('ready', () => {
app.listen(keys.app_web_server_port, () => console.log('app started'));
});
oidc.on('error', err => {
// An error occurred while setting up OIDC, during token revocation, or during post-logout handling
});
module.exports = app;
b.js route
const axios = require('axios');
const express = require("express");
const b = require('../models/b');
const keys = require('../config/keys');
const router = express.Router();
const esapi = axios.create({
baseURL: keys.app_web_server_addr+':'+keys.app_web_server_port,
timeout: 3000,
});
// function to call es
let callEs = (url, data) => {
esapi.post(
url,
{data})
.catch( err => console.log(err))
}
router.get("/f-e-info", (req, res) => {
fapi.get(b.bfapi+'eInfo')
.then((response) => {
// handle success
//console.log(response.data.symbols);
res.render("t",{response});
return response.data;
// send the data to es
}).then((t) => {
console.log("sending to es")
callEs('/es/ingest/b/ts',t.symbols)
}).catch( (error) => console.log(error));
});
module.exports = router;
es Route
const esParsersController = require('../controllers/esParsers');
const express = require("express");
const router = express.Router();
// This works fine!!!
router.get("/", (req, res) => {
res.render("es-test");
});
// This fails with a 401 unauthorised.
router.post('/ingest/b/ts', esParsersController.createTsDocs);
module.exports = router;
/controllers/esParsers
const keys = require('../config/keys');
const crypto = require("crypto");
const { createReadStream } = require('fs')
const split = require('split2')
const { Client } = require('@elastic/elasticsearch');
const { disconnect } = require('process');
require('array.prototype.flatmap').shim();
const createTsDocs = (req,res) => {
var datasource = []
req.body.data.forEach(function(value){
var doc = {}
doc.symbol = value.symbol;
// ... do stuff with data
datasource.push(doc)
});
ingestDocIntoEs(`${keys.esIndexName_prefix}ts`,datasource);
res.send("data entered")
}
module.exports = {
createTickerDocs
}
Sorry new to nodejs and trying to learn, can someone help me to understand why a post to the es route /ingest/b/ts gives me a 401 but a GET request to the es route / is authenticated as expected?
Solution 1:[1]
I was able to resolved this, forgot to come back an provide and answer. The issue was that I was making a post request with axios which was a new client instance so it did not have any scope of the current request headers. I had to get the current headers from the request and append them to my axios post request.
let config = {
headers : {
cookie: req.headers.cookie
}
}
esapi.post(url,data,config)
The only important part of the cookie is the connect.sid=COOKIE_GOES_HERE'
Another example using curl:
curl -X POST http://localhost:3000/route \
-H 'Content-Type: application/json' \
-H 'Cookie: connect.sid=COOKIE_GOES_HERE' \
-d '{"text": "hello again!", "toUserId": "USER_ID_COPIED_FROM_OKTA_DASHBOARD_URL"}'
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 |