resolved i am trying to do permission checks i have the fro Ory Community #talk-keto

[resolved] i am trying to do permission checks; i ...

prehistoric-businessperson-29259

09/06/2023, 1:30 AM

[resolved] i am trying to do permission checks; i have the frontend config working, but am always getting a 404 for any of the other endpoints.

Copy code

curl -vvv -H "Authorization: Bearer $ORY_API_KEY" -H "Accept: application/json" "${ORY_PRIVATE_API}/console/active/project"
*   Trying 104.18.12.126:443...
* Connected to <http://elated-khayyam-50ns5l2iaf.projects.oryapis.com|elated-khayyam-50ns5l2iaf.projects.oryapis.com> (104.18.12.126) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=<http://oryapis.com|oryapis.com>
*  start date: Sep  1 00:00:00 2023 GMT
*  expire date: Nov 30 23:59:59 2023 GMT
*  subjectAltName: host "<http://elated-khayyam-50ns5l2iaf.projects.oryapis.com|elated-khayyam-50ns5l2iaf.projects.oryapis.com>" matched cert's "*.<http://projects.oryapis.com|projects.oryapis.com>"
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /console/active/project]
* h2h3 [:scheme: https]
* h2h3 [:authority: <http://elated-khayyam-50ns5l2iaf.projects.oryapis.com|elated-khayyam-50ns5l2iaf.projects.oryapis.com>]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [authorization: Bearer ory_pat_dsnip....Q]
* h2h3 [accept: application/json]
* Using Stream ID: 1 (easy handle 0x14200a800)
> GET /console/active/project HTTP/2
> Host: <http://elated-khayyam-50ns5l2iaf.projects.oryapis.com|elated-khayyam-50ns5l2iaf.projects.oryapis.com>
> user-agent: curl/7.88.1
> authorization: Bearer ory_pat_d...snip....Q
> accept: application/json
> 
< HTTP/2 404 
< date: Wed, 06 Sep 2023 05:22:28 GMT
< content-type: application/json
< content-length: 144
< vary: Origin
< ory-network-region: euw
< ory-network-request-id: 5c10c57b-f246-9912-82db-8390bc3868fd
< cf-cache-status: DYNAMIC
< set-cookie: __cf_bm=P.W7...snip.....M=; path=/; expires=Wed, 06-Sep-23 05:52:28 GMT; domain=.<http://oryapis.com|oryapis.com>; HttpOnly; Secure; SameSite=None
< set-cookie: __cflb=...snip...; SameSite=None; Secure; path=/; expires=Wed, 06-Sep-23 06:22:28 GMT; HttpOnly
< server: cloudflare
< cf-ray: 802446425d9242f7-EWR
< alt-svc: h3=":443"; ma=86400
< 
{"error":{"code":404,"status":"Not Found","request":"5c10c57b-f246-9912-82db-8390bc3868fd","message":"Requested url does not match any rules"}}
* Connection #0 to host <http://elated-khayyam-50ns5l2iaf.projects.oryapis.com|elated-khayyam-50ns5l2iaf.projects.oryapis.com> left intact

this is typescript generating the 404 ( end of log with the error below)

Copy code

import { getUserSession } from './authN';
import { Configuration, Session, MetadataApi } from "@ory/client";
import fetchAdapter from '@haverstack/axios-fetch-adapter';


export async function handleAuthZ(request: Request, env: Env, session: Session): Promise<Response> {
        console.log('expected: ', env.ORY_SDK_URL, env.ORY_API_KEY, env.ORY_PRIVATE_API);
        let config = new Configuration({
            basePath: env.ORY_PRIVATE_API,
            apiKey: env.ORY_API_KEY,
            baseOptions: {
                adapter: fetchAdapter,
            },
        });
        let meta = new MetadataApi(config);
        console.log('metadata constructed', meta);
        let version = await meta.getVersion();
        console.log('death'); <--- we never get this far
        let alive = await meta.isAlive();
        let ready = await meta.isReady();
//        let is_admin = await permission_api.checkPermission({subjectId: session.identity.id, relation: "member", object: "Admins:global"});
        if (request.method === 'OPTIONS') {
            return new Response('', { status: 200 });
        }
        // nothing works
        return new Response('', { status: 200 });
}

expected:  <http://localhost:4000> ory_pat_......snip...........Q <https://auth.thriv.systems/>

metadata constructed MetadataApi3 {

basePath: <https://auth.thriv.systems/>,

axios: ,

configuration: Configuration3

A promise rejection was handled asynchronously. This warning occurs when attaching a catch handler to a promise after it rejected. (rejection #1)

A promise rejection was handled asynchronously. This warning occurs when attaching a catch handler to a promise after it rejected. (rejection #2)

[mf:err] Error: Request failed with status code 404

at createError (/Users/geoffgolder/thriv/src/thriv.systems/node_modules/@haverstack/axios-fetch-adapter/lib/index.esm.js:431:17)

at null.<anonymous> (/Users/geoffgolder/thriv/src/thriv.systems/node_modules/@haverstack/axios-fetch-adapter/lib/index.esm.js:351:15)

at [object Object]

at null.<anonymous> (/Users/geoffgolder/thriv/src/thriv.systems/node_modules/@haverstack/axios-fetch-adapter/lib/index.esm.js:342:14)

at [object Object]

at fulfilled (/Users/geoffgolder/thriv/src/thriv.systems/node_modules/@haverstack/axios-fetch-adapter/lib/index.esm.js:47:24)

This, however, works for authenticating

Copy code

import { FrontendApi, Configuration, Session, RelationshipApi, MetadataApi } from "@ory/client";
import { handleAuthZ } from "./authZ";
import fetchAdapter from "@haverstack/axios-fetch-adapter";


export async function handleAuth(request: Request, env: Env): Promise<Response> {
    return handleAuthN(request, env);
}
export async function handleAuthN(request: Request, env: Env): Promise<Response> {
    if (request.method === 'OPTIONS') {
        return new Response('', { status: 200 });
    }

    try {
        const userSession = await getUserSession(request, env);
        return handleAuthZ(request, env, userSession);
    } catch (error) {
        return new Response(JSON.stringify(error), { status: 401 });
    }
}

export async function getUserSession(request: Request, env: Env): Promise<Session> {
    const ory = new FrontendApi(
        new Configuration({
            basePath: env.ORY_SDK_URL,
            baseOptions: {
                adapter: fetchAdapter
            },
        })
    );

    const cookies = request.headers.get("Cookie") || undefined;
    const resp = await ory.toSession({ cookie: cookies });
    if (!resp || resp.status === 401) {
        throw new Error('Unauthorized');
    }
    return resp.data;
}

prehistoric-businessperson-29259

09/06/2023, 1:32 AM

i suspect it might have something to dow ith consuming the session in

getUserSession

but really unsure how to debug other than digging through code

2 Views

Open in Slack

Previous Next