Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lost token after a 301 redirection #294

Closed
dreamkiller52 opened this issue Jul 28, 2021 · 11 comments · Fixed by #301
Closed

Lost token after a 301 redirection #294

dreamkiller52 opened this issue Jul 28, 2021 · 11 comments · Fixed by #301
Labels
documentation Improvements or additions to documentation wontfix This will not be worked on
Milestone
1.20.0

Comments

@dreamkiller52
Copy link

Hi,
Not sure t's a influxdb-client bug but try here first.

When trying to push data into influxdb behind a nginx proxy I lost the Authentification token

Specifications:_

  • Client Version:1.19
  • InfluxDB Version:
  • Platform: docker ubuntu

send: b'POST /api/v2/write?org=my_org&bucket=ups&precision=ns HTTP/1.1\r\nHost: influxdb.mydomain.com\r\nAccept-Encoding: identity\r\nContent-Length: 657\r\nContent-Encoding: identity\r\nContent-Type: text/plain\r\nAccept: application/json\r\nAuthorization: Token OnT56TUQYifLi0d-z0HYxzBSBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxjI-iKwXSw4yGcqfXAu5BOjOm46HH_ngc5Ty5g==\r\nUser-Agent: influxdb-client-python/1.19.0\r\n\r\n'

send: b'ups,hardware=P3:60:J4:0V:HB:,host=NAS,model=Ellipse\ PRO\ 1200,source=NUT battery.charge=100i,battery.runtime=2682i,input.frequency=50,input.voltage=237,input.voltage.extended="no",outlet.1.desc="PowerShare Outlet 1",outlet.1.id=2i,outlet.1.status="on",outlet.1.switchable="no",outlet.2.desc="PowerShare Outlet 2",outlet.2.id=3i,outlet.2.status="on",outlet.2.switchable="no",outlet.desc="Main Outlet",outlet.id=1i,outlet.switchable="no",output.frequency=50,output.frequency.nominal=50i,output.voltage=234,output.voltage.nominal=230i,ups.delay.start=30i,ups.load=11i,ups.power=119i,ups.power.nominal=1200i,ups.realpower=86i,ups.status="OL",ups.timer.start=0i'

reply: 'HTTP/1.1 301 Moved Permanently\r\n'

header: Server: nginx/1.20.1

header: Date: Wed, 28 Jul 2021 07:34:59 GMT

header: Content-Type: text/html

header: Content-Length: 169

header: Connection: keep-alive

header: Location: https://influxdb.mydomain.com/api/v2/write?org=myorg&bucket=ups&precision=ns

send: b'POST /api/v2/write?org=myorg&bucket=ups&precision=ns HTTP/1.1\r\nHost: influxdb.mydomain.com\r\nAccept-Encoding: identity\r\nContent-Length: 657\r\nContent-Encoding: identity\r\nContent-Type: text/plain\r\nAccept: application/json\r\nUser-Agent: influxdb-client-python/1.19.0\r\n\r\n'

send: b'ups,hardware=P3:60:J4:0V:HB:,host=NAS,model=Ellipse\ PRO\ 1200,source=NUT battery.charge=100i,battery.runtime=2682i,input.frequency=50,input.voltage=237,input.voltage.extended="no",outlet.1.desc="PowerShare Outlet 1",outlet.1.id=2i,outlet.1.status="on",outlet.1.switchable="no",outlet.2.desc="PowerShare Outlet 2",outlet.2.id=3i,outlet.2.status="on",outlet.2.switchable="no",outlet.desc="Main Outlet",outlet.id=1i,outlet.switchable="no",output.frequency=50,output.frequency.nominal=50i,output.voltage=234,output.voltage.nominal=230i,ups.delay.start=30i,ups.load=11i,ups.power=119i,ups.power.nominal=1200i,ups.realpower=86i,ups.status="OL",ups.timer.start=0i'

reply: 'HTTP/1.1 401 Unauthorized\r\n'
@bednar
Copy link
Contributor

bednar commented Jul 28, 2021

Hi @dreamkiller52,

thanks for using our client. We will take a look.

Regards

@dreamkiller52
Copy link
Author

Let me know if I can help in any way.

@rhajek
Copy link
Contributor

rhajek commented Jul 28, 2021

Hi @dreamkiller52,

this looks like a problem with the nginx configuration.

The https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass_request_headers config option may help.

@bednar
Copy link
Contributor

bednar commented Jul 29, 2021

Hi @dreamkiller52,

The issue is caused by https://urllib3.readthedocs.io/en/stable/reference/urllib3.util.html?highlight=redirect#urllib3.util.Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT.

We will prepare fixed version of client ASAP... stay tuned.

Regards

@bednar bednar added the bug Something isn't working label Aug 9, 2021
@bednar
Copy link
Contributor

bednar commented Aug 12, 2021

The Authorization header is removed when going to different hosts, because otherwise the contents of Authorization is sent to third parties which is a security vulnerability.

If you would like to change this behaviour you can use this workaround before initiliaze the client:

from urllib3 import Retry
Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset()
Retry.DEFAULT.remove_headers_on_redirect = Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT

@bednar bednar added documentation Improvements or additions to documentation wontfix This will not be worked on and removed bug Something isn't working labels Aug 12, 2021
@dreamkiller52
Copy link
Author

I'll try this as soon as possible ;)

@bednar bednar mentioned this issue Aug 12, 2021
Merged
6 tasks
@bednar bednar added this to the 1.20.0 milestone Aug 16, 2021
@Risca
Copy link

Risca commented Jan 30, 2023

The Authorization header is removed when going to different hosts, because otherwise the contents of Authorization is sent to third parties which is a security vulnerability.

Unless I missed something, the redirect is to the same host but with https instead of http. Are you sure this isn't a bug in the client?

@kernstock
Copy link

We're seeing this problem with version 1.35.0. Omitting the scheme part of the url or giving http:// when connecting to a server which will redirect HTTP to HTTPS causes

influxdb_client.rest.ApiException: (401)
Reason: Unauthorized
[...]
HTTP response body: {"code":"unauthorized","message":"unauthorized access"}

@bednar
Copy link
Contributor

bednar commented Sep 27, 2023

Hi @kernstock,

try to configure urllib3 to keep authorisation headers for HTTP redirects by:

from urllib3 import Retry
Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset()
Retry.DEFAULT.remove_headers_on_redirect = Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT

Regards

@kernstock
Copy link

Hi @kernstock,

try to configure urllib3 to keep authorisation headers for HTTP redirects by:

from urllib3 import Retry
Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT = frozenset()
Retry.DEFAULT.remove_headers_on_redirect = Retry.DEFAULT_REMOVE_HEADERS_ON_REDIRECT

Regards

Thanks. In my opinion, this should be default behaviour. Omitting the scheme, giving a valid token and receiving an "Unauthorized" response can be very misleading.

@bednar
Copy link
Contributor

bednar commented Sep 27, 2023

It is caused by urllib3 implementation: https://github.com/urllib3/urllib3/blob/740380c59ca2a7c2dceca19e5dba99f6b7060e62/src/urllib3/connectionpool.py#L573

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation wontfix This will not be worked on
Projects
None yet
Milestone
1.20.0
Development

Successfully merging a pull request may close this issue.

feat: add proxy_headers to configuration options influxdata/influxdb-client-python
5 participants
@Risca @bednar @rhajek @dreamkiller52 @kernstock