Autopush-rs Endpoint fails to read AUTHENTICATION header
#282
Comments
|
Despite the registration docs only showing # Older versions used "bearer", newer specification requires "webpush"
AUTH_SCHEMES = ["bearer", "webpush", "vapid"]The clients affected appear to be Fenix (Firefox android) -- which looks to be sending the |
|
python's This should be a quick fix as the auth header's parsed the same as the |
|
Yeah, fun with VAPID. IIRC, "Bearer" was for VAPID draft 00, "WebPush" was for Vapid draft 01, and "vapid" was for Vapid draft 02 - RFC. "Bearer" and "WebPush" both used Vapid 01 format. |
|
Sigh. The problem is that this is the internal Authentication header (used to auth operational calls, and NOT to be used by the subscription provider endpoint.) For instance, if a mobile client wants to mange it's own list of subscriptions, it would use this bearer token based Authentication. I don't know why this auth is being called, but I suspect that it's being triggered by the middleware and therefore being brought in on all calls. |
Are you saying I'm not sure I understand -- |
|
No, I'm saying that there's a separate Authentication header for the completely different routes that handle subscription management from the mobile UA. That's what's failing to authenticate. I'm trying to work out a few tests to validate that things are working but here are a few horror cases for why this might be failing:
As it stands, I'm trying to recover a running version of autopush_endpoint (currently building it in a python2.7 docker, so fingers crossed) to see if I can generate a "legacy" authentication header and compare it to one being generated by rust. |
So the problem isn't with Vapid. It's with how we were generating the other authorization token, specifically differences with how python and rust were handling things. Python was converting the hex UAID string into a set of bytes, rust was converting the 128bit UUID UAID into bytes. Combine that with some fun regarding the base auth key string, and.. yeah. I added a test to this to compare the auth key generated by python with rust, broke the generate and validate functions into the AuthorizationCheck impl and added a bunch of comments. Closes #282
* bug: fix local Authorization header So the problem isn't with Vapid. It's with how we were generating the other authorization token, specifically differences with how python and rust were handling things. Python was converting the hex UAID string into a set of bytes, rust was converting the 128bit UUID UAID into bytes. Combine that with some fun regarding the base auth key string, and.. yeah. I added a test to this to compare the auth key generated by python with rust, broke the generate and validate functions into the AuthorizationCheck impl and added a bunch of comments. Closes #282
We're seeing https://sentry.prod.mozaws.net/operations/autopush-prod/issues/12011604/events/latest/ on test deploy of the autopush-rs endpoint.
The error being returned indicates that
get_token_from_auth_headeris failing, indicating that either the AUTHORIZATION header changed format or we're not reading it correctly. We need to test againstMozilla/5.0 (Android 10; Mobile; rv:89.0) Gecko/89.0 Firefox/89.0or later to verify that the header is correct and readable.The text was updated successfully, but these errors were encountered: