Accessing a public project in renku v2 in a fresh browser shows error when listing sessions

[olevski]

I am logged in but my session is perhaps expired... I cannot reproduce this when opening the public project at https://renkulab.io/v2/projects/renku-team/n2o-pathway-analysis with an incognito tab.

Seen on renku 0.57.1.

[olevski]

These is the cloud storage configuration:

Mount point (this is where the storage will be mounted during sessions)

external_storage/Climate-Manipulation

url

https://polybox.ethz.ch/public.php/webdav/

type

webdav

user

8NffJ3rFyHaVjgR
Source path
/

Requires credentials

No

Access mode

Force Read-only

[leafty]

Is there any way to reproduce this? Or to have a log trace?

[olevski]

There probably is... I am on the train with spotty internet connection. So I have captured as much as I can. I suspect the problem is either an expired session or a path where the gateway does not assign this anonymous user header needed by the notebook service to identify an anonymous user. It is probably the latter. And I think I added this to the gateway already in a PR for the new amalthea version. Once I get back into the office in the afternoon I will take a look at the code and figure it out. The notebooks does not try to check the gateway's session cookie (I am pretty sure) and it just spits out that error message.

[leafty]

There probably is... I am on the train with spotty internet connection. So I have captured as much as I can. I suspect the problem is either an expired session or a path where the gateway does not assign this anonymous user header needed by the notebook service to identify an anonymous user. It is probably the latter. And I think I added this to the gateway already in a PR for the new amalthea version. Once I get back into the office in the afternoon I will take a look at the code and figure it out. The notebooks does not try to check the gateway's session cookie (I am pretty sure) and it just spits out that error message.

The thing is that the anon header should be injected when not logged in, see:

renku-gateway/internal/revproxy/middlewares.go

Lines 237 to 259 in 7705567

	// Injects the sessionID as an identifier for an anonymous user. It will only do so if there are no
	// headers already injected for the keycloak tokens. Therefore this should always run in the middleware
	// chain after all other token injection middelwares have run.
	func notebooksAnonymousID(sessions *sessions.SessionStore) echo.MiddlewareFunc {
	return func(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {
	// The request is not anonymous, continue
	if c.Request().Header.Get("Renku-Auth-Access-Token") != "" || c.Request().Header.Get("Renku-Auth-Id-Token") != "" || c.Request().Header.Get("Renku-Auth-Refresh-Token") != "" {
	return next(c)
	}
	// Use the session ID as the anonymous ID
	session, err := sessions.Get(c)
	if err != nil || session.ID == "" {
	session, err = sessions.Create(c)
	}
	if err != nil {
	return err
	}
	c.Request().Header.Set("Renku-Auth-Anon-Id", session.ID)
	return next(c)
	}
	}
	}

One possibility is that some tokens where expired and could not be renewed.