Problem: Crash when trying to auth via websocket (#630)

The auth function in websocket was crashing when the header "X-Auth-Signature" wasn't passed, even that authentification method wasn't used. This caused issues when header "X-Auth-Signature" was not passed. Endpoint authenticate_api_request is not adequate for Websocket connections (#632) --------- Co-authored-by: Hugo Herter <[email protected]>
aleph-im · Jun 13, 2024 · 1095e3f · 1095e3f
1 parent b7e0ccf
commit 1095e3f
Showing 1 changed file with 6 additions and 7 deletions.
diff --git a/src/aleph/vm/orchestrator/views/operator.py b/src/aleph/vm/orchestrator/views/operator.py
@@ -10,7 +10,6 @@
 
 from aleph.vm.models import VmExecution
 from aleph.vm.orchestrator.run import create_vm_execution
-from aleph.vm.orchestrator.views import authenticate_api_request
 from aleph.vm.orchestrator.views.authentication import (
     authenticate_websocket_message,
     require_jwk_authentication,
@@ -68,7 +67,7 @@ async def stream_logs(request: web.Request) -> web.StreamResponse:
         ws = web.WebSocketResponse()
         await ws.prepare(request)
         try:
-            await authenticate_for_vm_or_403(execution, request, vm_hash, ws)
+            await authenticate_websocket_for_vm_or_403(execution, vm_hash, ws)
             await ws.send_json({"status": "connected"})
 
             queue = execution.vm.get_log_queue()
@@ -88,12 +87,12 @@ async def stream_logs(request: web.Request) -> web.StreamResponse:
             execution.vm.unregister_queue(queue)
 
 
-async def authenticate_for_vm_or_403(execution, request, vm_hash, ws):
-    """Allow authentication via HEADER or via websocket"""
-    if authenticate_api_request(request):
-        logger.debug(f"Accepted request to access logs via the allocatioan api key on {vm_hash}")
-        return True
+async def authenticate_websocket_for_vm_or_403(execution: VmExecution, vm_hash: ItemHash, ws: web.WebSocketResponse):
+    """Authenticate a websocket connection.
 
+    Web browsers do not allow setting headers in WebSocket requests, so the authentication
+    relies on the first message sent by the client.
+    """
     first_message = await ws.receive_json()
     credentials = first_message["auth"]
     authenticated_sender = await authenticate_websocket_message(credentials)