'Unable to authenticate (okta) a post request to a route from within a route getting a 401 Unauthorized response. GET Request works

I have a nodejs app utilising express using @okta/okta-sdk-nodejs and @okta/oidc-middleware to handle authentication.

I have a number of routes that work fine and are authorised as expected. The following flow generates a 401 status code and I am struggling to work out why.

If I hit the route http://localhost:3000/b/f-e-info i get a response from an external API, this works, I then want to send this to another route /es/ingest/b/ts to get ingested I do this via a function callEs('/es/ingest/b/ts',t.symbols) that uses axios this basically accepts a URL and the response data as parameters and posts the data to the es route router.post('/ingest/b/ts', esParsersController.createTsDocs);. The route utilise the createTsDocs function as a call back which just takes care of ingesting the data into a database.

The error in the nodejs console:

POST /es/ingest/b/t 401 0.520 ms - 12
Error: Request failed with status code 401
    at createError (login-portal/node_modules/axios/lib/core/createError.js:16:15)
    at settle (login-portal/node_modules/axios/lib/core/settle.js:17:12)
    at IncomingMessage.handleStreamEnd (login-portal/node_modules/axios/lib/adapters/http.js:260:11)
    at IncomingMessage.emit (events.js:326:22)
    at endReadableNT (_stream_readable.js:1252:12)
    at processTicksAndRejections (internal/process/task_queues.js:80:21) {
  config: {
    url: '/es/ingest/b/ts',
    method: 'post',
    data: '{"data":[{..},{...},{...}]}',
    headers: {
      Accept: 'application/json, text/plain, */*',
      'Content-Type': 'application/json;charset=utf-8',
      'User-Agent': 'axios/0.21.1',
      'Content-Length': 113195
    },
    baseURL: 'http://localhost:3000',
    transformRequest: [ [Function: transformRequest] ],
    transformResponse: [ [Function: transformResponse] ],
    timeout: 3000,
    adapter: [Function: httpAdapter],
    xsrfCookieName: 'XSRF-TOKEN',
    xsrfHeaderName: 'X-XSRF-TOKEN',
    maxContentLength: -1,
    maxBodyLength: -1,
    validateStatus: [Function: validateStatus]
  },
  request: <ref *1> ClientRequest {
    _events: [Object: null prototype] {
      socket: [Function (anonymous)],
      abort: [Function (anonymous)],
      aborted: [Function (anonymous)],
      connect: [Function (anonymous)],
      error: [Function (anonymous)],
      timeout: [Function (anonymous)],
      prefinish: [Function: requestOnPrefinish]
    },
    _eventsCount: 7,
    _maxListeners: undefined,
    outputData: [],
    outputSize: 0,
    writable: true,
    destroyed: false,
    _last: true,
    chunkedEncoding: false,
    shouldKeepAlive: false,
    _defaultKeepAlive: true,
    useChunkedEncodingByDefault: true,
    sendDate: false,
    _removedConnection: false,
    _removedContLen: false,
    _removedTE: false,
    _contentLength: null,
    _hasBody: true,
    _trailer: '',
    finished: true,
    _headerSent: true,
    socket: Socket {
      connecting: false,
      _hadError: false,
      _parent: null,
      _host: 'localhost',
      _readableState: [ReadableState],
      _events: [Object: null prototype],
      _eventsCount: 7,
      _maxListeners: undefined,
      _writableState: [WritableState],
      allowHalfOpen: false,
      _sockname: null,
      _pendingData: null,
      _pendingEncoding: '',
      server: null,
      _server: null,
      parser: null,
      _httpMessage: [Circular *1],
      [Symbol(async_id_symbol)]: 744,
      [Symbol(kHandle)]: [TCP],
      [Symbol(kSetNoDelay)]: false,
      [Symbol(lastWriteQueueSize)]: 0,
      [Symbol(timeout)]: null,
      [Symbol(kBuffer)]: null,
      [Symbol(kBufferCb)]: null,
      [Symbol(kBufferGen)]: null,
      [Symbol(kCapture)]: false,
      [Symbol(kBytesRead)]: 0,
      [Symbol(kBytesWritten)]: 0,
      [Symbol(RequestTimeout)]: undefined
    },
    _header: 'POST /es/ingest/b/ts HTTP/1.1\r\n' +
      'Accept: application/json, text/plain, */*\r\n' +
      'Content-Type: application/json;charset=utf-8\r\n' +
      'User-Agent: axios/0.21.1\r\n' +
      'Content-Length: 113195\r\n' +
      'Host: localhost:3000\r\n' +
      'Connection: close\r\n' +
      '\r\n',
    _keepAliveTimeout: 0,
    _onPendingData: [Function: noopPendingOutput],
    agent: Agent {
      _events: [Object: null prototype],
      _eventsCount: 2,
      _maxListeners: undefined,
      defaultPort: 80,
      protocol: 'http:',
      options: [Object],
      requests: {},
      sockets: [Object],
      freeSockets: {},
      keepAliveMsecs: 1000,
      keepAlive: false,
      maxSockets: Infinity,
      maxFreeSockets: 256,
      scheduling: 'fifo',
      maxTotalSockets: Infinity,
      totalSocketCount: 1,
      [Symbol(kCapture)]: false
    },
    socketPath: undefined,
    method: 'POST',
    maxHeaderSize: undefined,
    insecureHTTPParser: undefined,
    path: '/es/ingest/b/ts',
    _ended: true,
    res: IncomingMessage {
      _readableState: [ReadableState],
      _events: [Object: null prototype],
      _eventsCount: 3,
      _maxListeners: undefined,
      socket: [Socket],
      httpVersionMajor: 1,
      httpVersionMinor: 1,
      httpVersion: '1.1',
      complete: true,
      headers: [Object],
      rawHeaders: [Array],
      trailers: {},
      rawTrailers: [],
      aborted: false,
      upgrade: false,
      url: '',
      method: null,
      statusCode: 401,
      statusMessage: 'Unauthorized',
      client: [Socket],
      _consuming: true,
      _dumped: false,
      req: [Circular *1],
      responseUrl: 'http://localhost:3000/es/ingest/b/ts',
      redirects: [],
      [Symbol(kCapture)]: false,
      [Symbol(RequestTimeout)]: undefined
    },
    aborted: false,
    timeoutCb: null,
    upgradeOrConnect: false,
    parser: null,
    maxHeadersCount: null,
    reusedSocket: false,
    host: 'localhost',
    protocol: 'http:',
    _redirectable: Writable {
      _writableState: [WritableState],
      _events: [Object: null prototype],
      _eventsCount: 2,
      _maxListeners: undefined,
      _options: [Object],
      _ended: true,
      _ending: true,
      _redirectCount: 0,
      _redirects: [],
      _requestBodyLength: 113195,
      _requestBodyBuffers: [],
      _onNativeResponse: [Function (anonymous)],
      _currentRequest: [Circular *1],
      _currentUrl: 'http://localhost:3000/es/ingest/b/ts',
      _timeout: Timeout {
        _idleTimeout: -1,
        _idlePrev: null,
        _idleNext: null,
        _idleStart: 2235827,
        _onTimeout: null,
        _timerArgs: undefined,
        _repeat: null,
        _destroyed: true,
        [Symbol(refed)]: true,
        [Symbol(kHasPrimitive)]: false,
        [Symbol(asyncId)]: 750,
        [Symbol(triggerId)]: 746
      },
      [Symbol(kCapture)]: false
    },
    [Symbol(kCapture)]: false,
    [Symbol(kNeedDrain)]: false,
    [Symbol(corked)]: 0,
    [Symbol(kOutHeaders)]: [Object: null prototype] {
      accept: [Array],
      'content-type': [Array],
      'user-agent': [Array],
      'content-length': [Array],
      host: [Array]
    }
  }, 
response: {
    status: 401,
    statusText: 'Unauthorized',
    headers: {
      'x-powered-by': 'Express',
      'content-type': 'text/plain; charset=utf-8',
      'content-length': '12',
      etag: 'W/"c-dAuDFQrdjS3hezqxDTNgW7AOlYk"',
      'set-cookie': [Array],
      date: 'Wed, 17 Mar 2021 09:32:20 GMT',
      connection: 'close'
    },
    config: {
      url: '/es/ingest/b/t',
      method: 'post',
      data: '{"data":[{...},{...},{...}]}',

      headers: [Object],
      baseURL: 'http://localhost:3000',
      transformRequest: [Array],
      transformResponse: [Array],
      timeout: 3000,
      adapter: [Function: httpAdapter],
      xsrfCookieName: 'XSRF-TOKEN',
      xsrfHeaderName: 'X-XSRF-TOKEN',
      maxContentLength: -1,
      maxBodyLength: -1,
      validateStatus: [Function: validateStatus]
    },
    request: <ref *1> ClientRequest {
      _events: [Object: null prototype],
      _eventsCount: 7,
      _maxListeners: undefined,
      outputData: [],
      outputSize: 0,
      writable: true,
      destroyed: false,
      _last: true,
      chunkedEncoding: false,
      shouldKeepAlive: false,
      _defaultKeepAlive: true,
      useChunkedEncodingByDefault: true,
      sendDate: false,
      _removedConnection: false,
      _removedContLen: false,
      _removedTE: false,
      _contentLength: null,
      _hasBody: true,
      _trailer: '',
      finished: true,
      _headerSent: true,
      socket: [Socket],
      _header: 'POST /es/ingest/b/ts HTTP/1.1\r\n' +
        'Accept: application/json, text/plain, */*\r\n' +
        'Content-Type: application/json;charset=utf-8\r\n' +
        'User-Agent: axios/0.21.1\r\n' +
        'Content-Length: 113195\r\n' +
        'Host: localhost:3000\r\n' +
        'Connection: close\r\n' +
        '\r\n',
      _keepAliveTimeout: 0,
      _onPendingData: [Function: noopPendingOutput],
      agent: [Agent],
      socketPath: undefined,
      method: 'POST',
      maxHeaderSize: undefined,
      insecureHTTPParser: undefined,
      path: '/es/ingest/b/ts',
      _ended: true,
      res: [IncomingMessage],
      aborted: false,
      timeoutCb: null,
      upgradeOrConnect: false,
      parser: null,
      maxHeadersCount: null,
      reusedSocket: false,
      host: 'localhost',
      protocol: 'http:',
      _redirectable: [Writable],
      [Symbol(kCapture)]: false,
      [Symbol(kNeedDrain)]: false,
      [Symbol(corked)]: 0,
      [Symbol(kOutHeaders)]: [Object: null prototype]
    },
    data: 'Unauthorized'
  },
  isAxiosError: true,
  toJSON: [Function: toJSON]
}

If I just hit a GET Route in the es file It is authenticated as expected. 

app.js

var createError = require('http-errors');
var express = require('express');
var path = require('path');
var session = require('express-session');
var okta = require("@okta/okta-sdk-nodejs");
const { ExpressOIDC } = require('@okta/oidc-middleware');
const keys = require('./config/keys'); 
var bodyParser = require('body-parser')

var app = express();
app.use( bodyParser.json({limit: "15360mb", type:'application/json'}) );
app.use(bodyParser.urlencoded({limit: '100mb', extended: true}));

// Enabled the routes

const dashboardRouter = require("./routes/dashboard");
const usersRouter = require("./routes/users");
const bRouter = require("./routes/b");
const esRouter = require("./routes/es");


var oktaClient = new okta.Client({
  orgUrl: keys.okta_orgUrl,
  token: keys.okta_token
});


const oidc = new ExpressOIDC({
  issuer: keys.okta_issuer,
  client_id: keys.okta_client_id,
  client_secret: keys.okta_client_secret,
  appBaseUrl: keys.okta_appBaseUrl,
  scope: keys.okta_scope,
  routes: {
    login: {
      path: keys.okta_routes_login_path
    },
    loginCallback: {
      path: keys.okta_routes_loginCallback_path,
      afterCallback: keys.okta_routes_loginCallback_afterCallback
    }
  }
});



// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'pug');

app.use(express.json());
app.use(express.urlencoded({ extended: false }));
app.use(express.static(path.join(__dirname, 'public')));
app.use(session({
  secret:keys.app_session_secret,
  resave: true,
  saveUnititialized: false
}));
app.use(oidc.router);

app.use((req, res, next) => {
  if (!req.userContext) {
    return next();
  }

  oktaClient.getUser(req.userContext.userinfo.sub)
    .then(user => {
      req.user = user;
      res.locals.user = user;
      next();
    }).catch(err => {
      next(err);
    });
});



// redirect our users to the correct route

app.use('/', publicRouter);
app.use('/dashboard', oidc.ensureAuthenticated(), dashboardRouter); 
app.use('/users', oidc.ensureAuthenticated(), usersRouter);
app.use('/b', oidc.ensureAuthenticated(), bRouter)
app.use('/es', oidc.ensureAuthenticated(), esRouter)

// error handler
app.use(function(err, req, res, next) {
  // set locals, only providing error in development
  res.locals.message = err.message;
  res.locals.error = req.app.get('env') === 'development' ? err : {};

  // render the error page
  res.status(err.status || 500);
  res.render('error');
});

oidc.on('ready', () => {
  app.listen(keys.app_web_server_port, () => console.log('app started'));
});

oidc.on('error', err => {
  // An error occurred while setting up OIDC, during token revocation, or during post-logout handling
});

module.exports = app;

b.js route

const axios = require('axios');
const express = require("express");
const b = require('../models/b');
const keys = require('../config/keys'); 

const router = express.Router();


const esapi = axios.create({
    baseURL: keys.app_web_server_addr+':'+keys.app_web_server_port,
    timeout: 3000,
    });  


// function to call es
let callEs = (url, data) => {
    esapi.post(
        url,
        {data})
    .catch( err => console.log(err))
}

router.get("/f-e-info", (req, res) => {
    fapi.get(b.bfapi+'eInfo')
    .then((response) => {
      // handle success
      //console.log(response.data.symbols);
      res.render("t",{response});
      return response.data;
      // send the data to es  
    }).then((t) => {
        console.log("sending to es")
        callEs('/es/ingest/b/ts',t.symbols)
      
    }).catch( (error) => console.log(error));
});

module.exports = router;

es Route

const esParsersController = require('../controllers/esParsers'); 
const express = require("express");

const router = express.Router();

// This works fine!!! 
router.get("/", (req, res) => {
    res.render("es-test");
  });


// This fails with a 401 unauthorised.
router.post('/ingest/b/ts', esParsersController.createTsDocs);

module.exports = router;

/controllers/esParsers

const keys = require('../config/keys');
const crypto = require("crypto");
const { createReadStream } = require('fs')
const split = require('split2')
const { Client } = require('@elastic/elasticsearch');
const { disconnect } = require('process');
require('array.prototype.flatmap').shim();

const createTsDocs = (req,res) => {
  var datasource = []
  req.body.data.forEach(function(value){
        var doc = {}
        doc.symbol = value.symbol;
        // ... do stuff with data
        datasource.push(doc)
  });
      ingestDocIntoEs(`${keys.esIndexName_prefix}ts`,datasource);
      res.send("data entered")
}

module.exports = {
  createTickerDocs
}

Sorry new to nodejs and trying to learn, can someone help me to understand why a post to the es route /ingest/b/ts gives me a 401 but a GET request to the es route / is authenticated as expected?



Solution 1:[1]

I was able to resolved this, forgot to come back an provide and answer. The issue was that I was making a post request with axios which was a new client instance so it did not have any scope of the current request headers. I had to get the current headers from the request and append them to my axios post request.

let config = {
    headers : {
      cookie: req.headers.cookie
    }
  }

esapi.post(url,data,config)

The only important part of the cookie is the connect.sid=COOKIE_GOES_HERE'

Another example using curl:

curl -X POST http://localhost:3000/route \
  -H 'Content-Type: application/json' \
  -H 'Cookie: connect.sid=COOKIE_GOES_HERE' \
  -d '{"text": "hello again!", "toUserId": "USER_ID_COPIED_FROM_OKTA_DASHBOARD_URL"}'

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1