API security - http 400 bad request

Roballen · September 16, 2020, 11:35pm

I have…

[x] Checked the logs and have provided the logs if I found something suspicious there

I’m submitting a…

[x] Regression (a behavior that stopped working in a new release)
[ ] Bug report
[ ] Performance issue
[x] Documentation issue or request

Current behavior

Hi Sebastion or anyone, I am investigating a production issue we just noticed and corrected in our app and I need to provide assurances and a root cause to our stakeholders that this will not happen again.

Our authentication code that had been working for 6 months, suddenly stopped working and returned http 400 bad request. I am not as concerned with whether the code was correctly written in the first place as I am with what changed that caused it to stop and whether we can expect it to happen in the future, and if so, how we can get in front of it and make the necessary changes before an outage occurs.

Below is a commit that fixed the issue.

You can assume that the configuration variables were not changed. It was actually the code that affected the results.

Thanks.

Environment

[ ] Self hosted with docker
[ ] Self hosted with IIS
[ ] Self hosted with other version
[x ] Cloud version

Sebastian · September 17, 2020, 5:07am

What was the content type in the first request? It could be that the identity server became more strict and has started to decline requests. I am updating it from time to time.

Roballen · September 17, 2020, 3:17pm

I think it was using the default headers for my axios client

const DEFAULT_HEADERS = {
  Accept: 'application/json',
  'content-type': 'application/json',
};

Sebastian · September 17, 2020, 3:19pm

Yes, this makes sense.

marcus_hum · September 18, 2020, 12:33pm

I have a similar issue as Roballen, where I receive a 400 bad request error when trying to get a token from the identity server. The code has not been modified recently.

I don’t see any similarity between the solution that worked for Roballen, and how my code works. Sebastian, could you give some more details on how the identity server has become more strict, so I can figure out what I might be doing wrong?

Sebastian · September 18, 2020, 12:35pm

Can you post the code and the error you get from the token endpoint?

marcus_hum · September 18, 2020, 1:06pm

Ok, let’s see if I can provide what you need…
This is the function that retrieves a token for any visitor to the site

async function requestToken(userType = "default") {
  var getTokenMetaData = new FormData()
  if (userType = "default") {
    getTokenMetaData.append('client_id', 'ingridcloud:visitor');
    getTokenMetaData.append('scope', 'squidex-api');
    getTokenMetaData.append('client_secret', '[client-secret]');                                                  
    getTokenMetaData.append('grant_type', 'client_credentials');
  }

  let response = await fetch('https://cloud.squidex.io/identity-server/connect/token', {
    method: 'POST',
    body: getTokenMetaData,
  })
  let data = await response.json()
  return data.access_token}
}

The error message in the browser is simply that the POST request produces a 400 response, and that request is created in the function I pasted above.

While trying in Postman with the same client_id and client_secret, the error is

{
"traceId": "|1d022e10-4e6398a299ae8e66.",
"type": "https://tools.ietf.org/html/rfc7231#section-6.5.4",
"statusCode": 404
}

Sebastian · September 18, 2020, 1:39pm

Can you send me the client id and secret as PM?

Roballen · September 18, 2020, 3:30pm

Thanks for the updates. Hoping now that we are sending more appropriate headers this will not happen again.