ApiKey authentication and Message Queue

tiptopweb · October 31, 2022, 8:40am

Hello,
I am trying to set a secure TestMqMessage service as the handler for a Redis Message Queue.
The Authentication is ApiKey

[Authenticate(ApiKeyAuthProvider.Name)]
public object Any(TestMqMessage request)
{ ... }

I do not have a SessionId available
I was hoping something like this would work (adding the Authorization header instead of a SessionId)
Do you have an idea how I can proceed?

var clientsManager = container.Resolve<IRedisClientsManager>();
var mqHost = new RedisMqServer(clientsManager, retryCount: 2);

mqHost.RegisterHandler<TestMqMessage>(m =>
{
   var req = new BasicRequest { Verb = HttpMethods.Post };
   req.Headers[Keywords.Authorization] = "Bearer " + m.GetBody().BearerToken;

   return ServiceStackHost.Instance.ServiceController.ExecuteMessage(m, req);
});

mythz · October 31, 2022, 11:18am

Please see Authenticated Requests via MQ docs, i.e. Request DTOs should implement IHasBearerToken.

tiptopweb · October 31, 2022, 11:35am

Hello
Yes it does,

public class TestMqMessage: IReturn<TestMqMessageResponse>,  IHasBearerToken
{
    public string BearerToken { get; set; }
    //...
}

I have been looking at the docs, but it is asking to get the SessionId
It does not make sense for the Api Key authentication?
I do not have a Client publishing to the queue, the client is a Web Service from another server. I do not have a Session. I just have a BearerToken.
I think I do not understand the docs.

For the JWT, it seems you have a function to convert the JWT to a Session.
I understand your answer here using

var session = jwtAuth.ConvertJwtToSession(req, jwt);

In my case where do I find a Session?

req.Headers["X-ss-id"] = m.GetBody().SessionId;

mythz · October 31, 2022, 12:23pm

API Key is a Bearer Token Auth Provider, so populating IHasBearerToken.BearerToken should work.

If you can debug into the library source code, put a breakpoint on this line to try to find out why it’s not Authenticating:

github.com

ServiceStack/ServiceStack/blob/103646809fecd2c78d4284a26508bd048f6bb1b8/ServiceStack/src/ServiceStack/Auth/ApiKeyAuthProvider.cs#L269


public virtual async Task PreAuthenticateAsync(IRequest req, IResponse res)
{
    //The API Key is sent in the Basic Auth Username and Password is Empty
    var userPass = req.GetBasicAuthUserAndPassword();
    if (userPass != null && string.IsNullOrEmpty(userPass.Value.Value))
    {
        var apiKey = await GetApiKeyAsync(req, userPass.Value.Key).ConfigAwait();
        await PreAuthenticateWithApiKeyAsync(req, res, apiKey).ConfigAwait();
    }
    var bearerToken = req.GetBearerToken();
    if (bearerToken != null)
    {
        var apiKey = await GetApiKeyAsync(req, bearerToken).ConfigAwait();
        if (apiKey != null)
        {
            await PreAuthenticateWithApiKeyAsync(req, res, apiKey).ConfigAwait();
        }
    }


    if (AllowInHttpParams)
    {

tiptopweb · November 2, 2022, 8:01am

I managed to run a remote debugger

Object reference not set to an instance of an object.
ServiceStack.Auth.NetCoreIdentityAuthProvider.PreAuthenticateAsync(IRequest req, IResponse res)
in /ServiceStack/ServiceStack/ServiceStack/src/ServiceStack/Auth/NetCoreIdentityAuthProvider.cs:line 113

So the issue is not connected to the ApiKey Auth, but to another authentication

        public void Configure(IAppHost appHost)
        {
            var appSettings = appHost.AppSettings;
            appHost.Plugins.Add(new AuthFeature(() => new CustomUserSession(),
                new IAuthProvider[] {
                    new ApiKeyAuthProvider(appSettings),
                    new NetCoreIdentityAuthProvider(appSettings),
                    new CredentialsAuthProvider(appSettings),     
                })

Seems like the NetCoreIdentityAuthProvider is interfering.
I am using it only to be able to log in a Hangfire Dashboard and it is probably not correctly set-up

If I decorate my services with:

[Authenticate(ApiKeyAuthProvider.Name)]

It is working and not calling the NetCoreIdentityAuthProvider which is good enough for me.

mythz · November 2, 2022, 9:19am

thx for the StackTrace, the NRE should be resolved from the latest v6.4.1+ that’s now available on MyGet.