Upgrade to forest-express-mongoose@7.x.x failed due to openid login callback

Joep · May 27, 2021, 4:50pm

After upgrading my development backend liana to forest-express-mongoose 5.4.0 → 7.6.2 I am longer able to access the development environment on forest. I am receiving the error:

Unable to authenticate you

Please verify that your admin backend is correctly configured and running, and that you have access to the internet.

On inspection of the backend I am seeing the following issue:

[forest] ���  Unable to register the client
{
  "configuration": {
    "authorization_endpoint": "https://api.forestadmin.com/oidc/auth",
    "device_authorization_endpoint": "https://api.forestadmin.com/oidc/device/auth",
    "claims_parameter_supported": false,
    "claims_supported": [
      "sub",
      "email",
      "sid",
      "auth_time",
      "iss"
    ],
    "code_challenge_methods_supported": [
      "S256"
    ],
    "end_session_endpoint": "https://api.forestadmin.com/oidc/session/end",
    "grant_types_supported": [
      "authorization_code",
      "urn:ietf:params:oauth:grant-type:device_code"
    ],
    "id_token_signing_alg_values_supported": [
      "HS256",
      "RS256"
    ],
    "issuer": "https://api.forestadmin.com",
    "jwks_uri": "https://api.forestadmin.com/oidc/jwks",
    "registration_endpoint": "https://api.forestadmin.com/oidc/reg",
    "response_modes_supported": [
      "query"
    ],
    "response_types_supported": [
      "code",
      "none"
    ],
    "scopes_supported": [
      "openid",
      "email",
      "profile"
    ],
    "subject_types_supported": [
      "public"
    ],
    "token_endpoint_auth_methods_supported": [
      "none"
    ],
    "token_endpoint_auth_signing_alg_values_supported": [],
    "token_endpoint": "https://api.forestadmin.com/oidc/token",
    "request_object_signing_alg_values_supported": [
      "HS256",
      "RS256"
    ],
    "request_parameter_supported": false,
    "request_uri_parameter_supported": true,
    "require_request_uri_registration": true,
    "claim_types_supported": [
      "normal"
    ]
  },
  "registration": {
    "redirect_uris": [
      "http://localhost:8080/forest/authentication/callback"
    ],
    "token_endpoint_auth_method": "none"
  },
  "error": {
    "name": "RequestError",
    "code": "ECONNREFUSED",
    "timings": {
      "start": 1622133518502,
      "socket": 1622133518503,
      "lookup": 1622133518503,
      "error": 1622133520532,
      "phases": {
        "wait": 1,
        "dns": 0,
        "total": 2030
      }
    }
  }
}

Unhandled Rejection at: Promise Promise {
  <rejected> RequestError: connect ECONNREFUSED 127.0.0.1:443
      at ClientRequest.<anonymous> (C:\Users\joepe\Code\buffl-backend-api\node_modules\openid-client\node_modules\got\dist\source\core\index.js:956:111)
      at Object.onceWrapper (events.js:422:26)
      at ClientRequest.emit (events.js:327:22)
      at ClientRequest.origin.emit (C:\Users\joepe\Code\buffl-backend-api\node_modules\@szmarczak\http-timer\dist\source\index.js:39:20)
      at TLSSocket.socketErrorListener (_http_client.js:467:9)
      at TLSSocket.emit (events.js:315:20)
      at emitErrorNT (internal/streams/destroy.js:100:8)
      at emitErrorCloseNT (internal/streams/destroy.js:68:3)
      at processTicksAndRejections (internal/process/task_queues.js:84:21)
      at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1141:16) {
    code: 'ECONNREFUSED',
    timings: {
      start: 1622133518502,
      socket: 1622133518503,
      lookup: 1622133518503,
      connect: undefined,
      secureConnect: undefined,
      upload: undefined,
      response: undefined,
      end: undefined,
      error: 1622133520532,
      abort: undefined,
      phases: [Object]
    }
  }
}

I followed the migration steps from 5.x.x → 6.x.x at which point the configuration was working fine. After the upgrade from 6.x.x → 7.x.x this started happening. I’ve followed all the steps outlined in https://docs.forestadmin.com/documentation/how-tos/maintain/upgrade-notes-sql-mongodb/upgrade-to-v7

Expected behavior

I would expect that open id authentication is not required for the development backend, as there is no valid callback URL to provide to the forest server… However I am not sure how or where to configure this.

Actual behavior

The forest backend seems to be trying to connect to 127.0.0.1:443 for OpenId authentication, but the connection is being refused.

Failure Logs

See above

Context

Package Version: 7.6.2
Express Version: 4.17.1
Mongoose Version: 5.8.4
Database Dialect: Mongoose
Database Version: 4

morganperre · May 27, 2021, 6:31pm

Hello @Joep,

Looking at you’re log I think you misconfigure your APPLICATION_URL.

What is your APPLICATION_URL configuration ? On which PORT do you run your agent ?

Thanks in advance for your response.

Kind regards,
Morgan

Joep · May 27, 2021, 8:39pm

Hi Morgan,

My .env file has the following setting:

...
APPLICATION_URL=http://localhost:8080
...

and my backend is running on port 8080 (I assume that is what you mean by agent?)

I’m pretty sure my application_url is loaded correctly, because during a deep-dive debugging session, I logged the configuration of the openID request, which was the following:

{
  headers: {
    Authorization: 'Bearer 30459e5236a2e4c3bbec8f7f9153bb48005aba38a8f667220e7453114ff38dd8'
  },
  responseType: 'json',
  json: {
    client_id: undefined,
    redirect_uris: [ 'http://localhost:8080/forest/authentication/callback' ],
    token_endpoint_auth_method: 'none'
  },
  url: 'https://api.forestadmin.com/oidc/reg',
  method: 'POST'
}

unless I’m misunderstanding the inner workings here, it seems the redirect url is correct?

thanks!

morganperre · May 28, 2021, 7:53am

Hello @Joep,

Ok. Those settings seams good to me. I don’t understand why your backend (yes it what I mean by agent) is trying to connect to 127.0.0.1:443.

Can you provide all your ENV CONFIG (just without the FOREST_ENV_SECRET) ?
Also can you provide your dependencies (from your package.json) ?

Kind regardes,
Morgan

Joep · May 28, 2021, 8:00am

HI Morgan,

As far as I can see (after following the runtime into the forest packages) it is not my agent that is connecting to 127.0.0.1:443. My agent is actually making a OpenID request to https://api.forestadmin.com/oidc/reg, but this request is returning an HTTP 500 because the forest server is trying to reach 127.0.0.1:443…

My env config (sensitive data is obfuscated offcourse):

CLIENT_APP_URL=/clients
ADMIN_APP_URL=/admin
USER_APP_URL=/users
ORGANISATION_APP_URL=/organisations
APPLICATION_URL=http://localhost:8080

SERVER_ENV=develop

PUBLIC_URL=[OBFUSCATED]

SERVER_NAME=localhost
SERVER_PORT=8080
SERVER_PROTOCOL=http
SERVER_URL=${SERVER_PROTOCOL}://${SERVER_NAME}:${SERVER_PORT}
SERVER_SECRET=[OBFUSCATED]

DATABASE_URI=mongodb://127.0.0.1:27017/[OBFUSCATED]
PROD_DATABASE_URI=false

SMTP_HOST=localhost
SMTP_PORT=8081
SMTP_SECURE=false
SMTP_AUTH=false
SMTP_USER_NOREPLY=false
SMTP_PASS_NOREPLY=false
SMTP_USER_WINNER=false
SMTP_PASS_WINNER=false

MEDIA_FOLDER=/tmp/media
MEDIA_URL=/media
UPLOAD_FOLDER=/tmp/upload
UPLOAD_URL=/uploads

FOREST_ENV_SECRET=[OBFUSCATED]
FOREST_AUTH_SECRET=[OBFUSCATED]
ADMIN_URL=[OBFUSCATED]

STORAGE_URL=[OBFUSCATED]
AZURE_CONNECTION_STRING=[OBFUSCATED]

PUSH_CHUNK_SIZE=20
PUSH_CHUNK_DELAY=10

SENDGRID_API=[OBFUSCATED]
AUTOMATION_TESTS_RUNNING=false

TRUFFL_SERVER_URL=[OBFUSCATED]

AZURE_PUSH_URL=[OBFUSCATED]
AZURE_PUSH_KEY_NAME=[OBFUSCATED]
AZURE_PUSH_KEY=[OBFUSCATED]

FRESHWORKS_ENABLED=false
FRESHWORKS_NAME=[OBFUSCATED]
FRESHWORKS_API_KEY=[OBFUSCATED]

HEAPMEMORY_SNAPSHOT_FILE_PATH=value

anon16419211 · May 28, 2021, 8:22am

Hello @Joep ,

Can you share us your HTTP request that is failing (500 status) from your network console and also the response associated please?

Do you have any other errors in console that could be link to this issue?

Joep · May 28, 2021, 12:03pm

Hi,

Upon trying to log the request, I found out that it is actually never hitting the forest api server after all. Somehow when the request is being handled by the https package, the URL is tranformed from api.forestadmin.com to localhost.

I found a similar threat which I dismissed before: https://community.forestadmin.com/t/authentication-error-after-migrating-to-forest-express-sequelize-v7/2440/7. This person attributed the bug to the nest.js package which was wrapping express but this did not apply to me.

However, it did make me consider that recreating the project from scratch and bare-boned might give me some further clues.

So after doing that, the configuration in the new bare-bones project seems to work (i’m able to connect to forest admin using that project). So is it possible that my old project is somehow patching the https module with buggy behaviour???

I’ll keep investigating and updating this threat as I find out more, anyways, thanks for the help so far!

Joep · May 28, 2021, 12:33pm

So, after exhaustively commenting out import, I traced the issue back to an outdated package: google-auth-library. After updating this package to the latest version, everything is working fine

morganperre · May 28, 2021, 1:14pm

Hey @Joep,

What a good news.
I was looking at the issue in GitHub and they talked about other dependencies potentially causing the issue.

Have a nice day.