Arango auth and Foxx auth

[Dan Tomosoiu]

Hello,

I have a question regarding the way Foxx is authorized to do its requests when authorization is enabled on arangod.

These are my auth settings in arangod.conf:

disable-authentication = false

authenticate-system-only = true

My plan is to have current REST requests towards arangodb be routed through Foxx, which would allow them only if the user is authenticated in the Foxx application, and forbid REST requests directly to arangodb.

This is an example of such a routing:

controller.put("/api/:paramA/:paramB", function (req, res, options, next) {

        var paramA = req.params("paramA");

        var paramB = req.params("paramB");

        if(paramA != "simle" || paramB != "all"){

            res.json({"bad request?"});

        } else {

            actions.redirectRequest(req, res, { destination: "http://localhost:8529/_db/MyDB/_api/" + paramA + "/" + paramB }, next);

        }

    }).onlyIfAuthenticated(401, "You are not authenticated");

This seemed to be working towards what I wanted, if authorization is disabled the routing works fine, but when I enable it, I get an authorization dialog which wants me to enter the credentials for MyDB database.

Am I missing something or did I understand "authenticate-system-only = true" poorly ? I was hoping that Foxx would be able to bypass that authorization, either by 'magic' (arangodb realising it's a trusted source) or by providing some credentials in the Foxx application itself (but not on the client) ?

[Dan Tomosoiu]

Bump ?

[Frank Celler]

Lucas is currently in Singapore. I hope he will be back on Monday.

Am Freitag, 27. Juni 2014 14:57:38 UTC+2 schrieb Dan Tomosoiu:

Bump ?

[Dan Tomosoiu]

I understand, thanks for the update.

Regards,

Dan

[Frank Celler]

Hi Dan,

I talked to Lucas and Alan. We think the problem is as follows: You have enabled authentication for the API. If you do a redirect, your browser will be redirected to the API page and therefore shows the password dialog.

Alan is currently working on a solution to share the users between foxx and API calls. But this currently not working.

Instead of redirect the request, you could rewrite it (see e. g. http://stackoverflow.com/questions/23603483/how-to-set-foxx-app-at-server-root). There is however a catch, it is not possible to rewrite some of the basic operations. You would not to implement an equivalent in Javascript.

Hope that explain the situation a little bit. If you need more information, please let us know.
  Frank

[Dan Tomosoiu]

Hi Frank,

Thanks again for the reply, I'll try to see if I can solve my problem using rewriting in the next few days, hopefully.

Still, it's good to hear that a solution for sharing users is being worked on, looking forward to being able to use that in the end.

Best regards,

Dan

[Dan Tomosoiu]

Hi Frank,

I still haven't found a way to make this work.

What should the next parameter of a rewriteRequest be ?

controller.get('/api/:paramA/:paramB/:paramC', function (req, res, options, next) {

        var paramA = req.params('paramA');

        var paramB = req.params('paramB');

        var paramC = req.params('paramC');

        if (paramA === 'document') {

            actions.rewriteRequest(req, res, { destination: "http://localhost:8529/_db/MyDB/_api/" + paramA + "/" + paramB + "/" + paramC}, next); //this fails because next is undefined

        } else {

            res.json({ "error": "bad request?" });

        }

    }).onlyIfAuthenticated(401, "You are not authenticated");

Also, are there any updates regarding the release of the new session functionality ?

Regards,

Dan

[Frank Celler]

Sorry, lost sight of that matter, Did you manage to solve it?

[Dan Tomosoiu]

No, almost lost all hope :(

[Frank Celler]

We will find a solution. I have to talk to Lucas to check how he can extend Foxx to support this.

[Frank Celler]

I have talk to Lucas. We will add an "around" method (similar to before and after) to the Foxx controller. Then you will be able to use it as follow:

  controller.around("/hallo", function (req, res, options, next) {
    actions.rewriteRequest(req, res, {
      destination: applicationContext.mount + "/hello"
    }, next);
  });

[Frank Celler]

The around method is available in ArangoDB 2.2.3, see https://www.arangodb.org/2014/09/04/arangodb-2-2-3

[Dan Tomosoiu]

Hi Frank,

Thanks very much for the update, I'm not working on this issue for the time being but it's good to know I'll be able to get 'around' it once I'll be back :)

Thank you, I really appreciate the work you're doing!

Regards,

Dan