Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trino Gateway UI ajax calls do not carry Basic Auth headers from the page #476

Open
shk3 opened this issue Sep 23, 2024 · 3 comments
Open

Trino Gateway UI ajax calls do not carry Basic Auth headers from the page #476

shk3 opened this issue Sep 23, 2024 · 3 comments

Comments

@shk3
Copy link

shk3 commented Sep 23, 2024

Our setup uses Basic Auth for users via a transparent proxy that exchange the Basic Auth credentials to JWT token and passes to the backend. When we have Trino Gateway set up behind this transparent proxy, users would need to provide credentials via Basic Auth as required for other part of Trino.

While the Trino Gateway UI can load properly under Basic Auth, it looks like the ajax calls made by this UI do not carry the Basic Auth credentials in the request headers. All the resources (images / css / js files) are loaded properly with Basic Auth credentials inherited from the page itself, but the ajax calls don't carry these credentials.

It seems to me that this might be related to the getHeaders function as defined here:

trino-gateway/webapp/src/api/base.ts

Lines 123 to 138 in 23e8320

export function getHeaders(): Record<string, string> {
const accessStore = useAccessStore.getState();
const headers: Record<string, string> = {
"x-requested-with": "XMLHttpRequest",
"Content-Language": getServerLang(),
};
const makeBearer = (token: string) => `Bearer ${token.trim()}`;
const validString = (x: string) => x && x.length > 0;
if (validString(accessStore.token)) {
headers.Authorization = makeBearer(accessStore.token);
}
return headers;
}

I'm not sure how to make it work though, but at this point, our UI is rendered without data because of this header not being carried.

Does anyone else run into this issue too?
@mosabua
Copy link
Member

mosabua commented Sep 23, 2024

From my limited understanding this would require for Trino Gateway to support JWT token auth .. at this stage this is not the case.

I am not sure if adding the basic auth credentials to the ajax calls would solve your issue but you could try and if it works send a PR.

@shk3
Copy link
Author

shk3 commented Sep 23, 2024
edited
Loading

From my limited understanding this would require for Trino Gateway to support JWT token auth .. at this stage this is not the case.

I am not sure if adding the basic auth credentials to the ajax calls would solve your issue but you could try and if it works send a PR.

For our use case, we are not expecting Trino Gateway to use the basic auth creds for its own authentication. Our setup has a basic auth to protect the whole domain, and the fact that the ajax calls don't carry basic auth creds causes these calls to get HTTP 401.

I have tried to fix it myself but cannot find a way to propagate the basic creds with my limited frontend knowledge.

@oneonestar
Copy link
Member

The current implementation is:

  • WebUI pass basic auth info to /login
  • /login returns a JWT signed by authentication.form.selfSignKeyPair.privateKeyRsa
  • WebUI store the JWT and use it for the future API calls.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mosabua @shk3 @oneonestar