Not logged in view can't access API in local environment
Discovered during work on #2206 (closed)
When the browser tries to make a call towards the local API, API returns 401 unauthorized.
Way to reproduce
- make sure you are not logged in
- access a room
- scroll up to trigger infinite scrolling which fetches older messages from the API
✅
Production
❌
Local
Pseudo stack (based on my debugging):
Why does it work in production?
Deployed versions of Gitter (Beta and Prod) are deploying api separaterly https://gitlab.com/gitlab-com/gl-infra/gitter-infrastructure/blob/ba19ebe6e40b811103b69f06ac425f34deb5e663/ansible/roles/gitter/web/files/etc/init/gitter-api-1.conf#L30 and using Nginx to route the /api
requests to it https://gitlab.com/gitlab-com/gl-infra/gitter-infrastructure/blob/ba19ebe6e40b811103b69f06ac425f34deb5e663/ansible/roles/gitter/web/files/etc/nginx/sites-enabled/gitter-api.conf#L21.
I've tested this hypothesis by going to the production box and making one request on the deployed web (localhost:5021/api/v1...
) which failed with unauthorized (same as local dev env) and then making the same request to the api instance (localhost:5025/v1...
) which succeeded.
Production schema
graph LR;
A[user] --> B[Nginx]
B -- / --> C[server/web.js - localhost:5021]
B -- /api/ --> D[server/api.js - localhost:5025]
Temporary workaround
To allow for testing API calss while not logged in, you can locally apply this patch (but don't commit it):
diff --git a/server/web/express.js b/server/web/express.js
index b856852af..6e81868e9 100644
--- a/server/web/express.js
+++ b/server/web/express.js
@@ -125,7 +125,7 @@ module.exports = {
app.use(passport.initialize());
app.use(passport.session());
- app.use(require('./middlewares/authenticate-bearer'));
+ //app.use(require('./middlewares/authenticate-bearer'));
app.use(rememberMe.rememberMeMiddleware);
app.use(require('./middlewares/rate-limiter'));
app.use(require('./middlewares/record-client-usage-stats'));
TODO:
-
remove the router-nli-app
and don't fingerprint not logged in users https://gitlab.com/gitlab-org/gitter/webapp/merge_requests/1650 -
find out why the auth-api
behaves differently when initialized in web and api (auth-api
is a different thing fromauthenticate-bearer.js
) -
how to avoid using server/web/middlewares/authenticate-bearer.js
for API in local dev environment (right now theserver/web/express.js
.isntallAll()
gets called before api is initialized