From 09a3b9e0b51c8c0a4ffff29581834c5f3b69b79e Mon Sep 17 00:00:00 2001 From: Paul Fertser Date: Wed, 3 Jul 2024 14:11:03 +0000 Subject: Use auth token when not communicating with bmcweb Redfish backends other than OpenBMC bmcweb expect clients to authenticate using X-Auth-Token HTTP header as that's the only standard authentication method for Redfish sessions. This code falls back to using the token in case Session creation didn't result in obtaining an XSRF cookie (as should normally happen with bmcweb). Limitations: all WebSocket-based functionality can not work (JS-based NBD Virtual Media, IP KVM, SOL), page reload drops the session and requires to log in again. Tested: logging in, observing Overview and successfully logging out of an AMI MegaRAC BMC. Logging in and navigating around a bmcweb-running system which doesn't have the code to provide cookies for Session POST request (everything works as usual sans WS-based features). Change-Id: I81dc881193440d8d252dcd283b99915bd08c0c5e Signed-off-by: Paul Fertser --- src/store/api.js | 3 +++ src/store/modules/Authentication/AuthenticanStore.js | 18 ++++++++++++++++-- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/src/store/api.js b/src/store/api.js index 32d54277f..664e2b76a 100644 --- a/src/store/api.js +++ b/src/store/api.js @@ -72,6 +72,9 @@ export default { spread(callback) { return Axios.spread(callback); }, + set_auth_token(token) { + axiosInstance.defaults.headers.common['X-Auth-Token'] = token; + }, }; export const getResponseCount = (responses) => { diff --git a/src/store/modules/Authentication/AuthenticanStore.js b/src/store/modules/Authentication/AuthenticanStore.js index b64def069..3122ab2f7 100644 --- a/src/store/modules/Authentication/AuthenticanStore.js +++ b/src/store/modules/Authentication/AuthenticanStore.js @@ -11,6 +11,7 @@ const AuthenticationStore = { xsrfCookie: Cookies.get('XSRF-TOKEN'), isAuthenticatedCookie: Cookies.get('IsAuthenticated'), sessionURI: localStorage.getItem('sessionURI'), + xAuthToken: null, }, getters: { consoleWindow: (state) => state.consoleWindow, @@ -19,19 +20,29 @@ const AuthenticationStore = { // We might have gotten XSRF-TOKEN (and HttpOnly SESSION cookie) by Mutual TLS authentication, // without going through explicit Session creation return ( - state.xsrfCookie !== undefined || state.isAuthenticatedCookie == 'true' + state.xsrfCookie !== undefined || + state.isAuthenticatedCookie == 'true' || + state.xAuthToken !== null ); }, // Used to authenticate WebSocket connections via subprotocol value token: (state) => state.xsrfCookie, }, mutations: { - authSuccess(state, { session }) { + authSuccess(state, { session, token }) { state.authError = false; state.xsrfCookie = Cookies.get('XSRF-TOKEN'); // Preserve session data across page reloads and browser restarts localStorage.setItem('sessionURI', session); state.sessionURI = session; + // If we didn't get the XSRF cookie it means we are talking to a + // Redfish implementation that is not bmcweb. In this case get the token + // from headers and send it with the future requests, do not permanently + // save anywhere. + if (state.xsrfCookie === undefined) { + api.set_auth_token(token); + state.xAuthToken = token; + } }, authError(state, authError = true) { state.authError = authError; @@ -39,11 +50,13 @@ const AuthenticationStore = { logout(state) { Cookies.remove('XSRF-TOKEN'); Cookies.remove('IsAuthenticated'); + api.set_auth_token(undefined); localStorage.removeItem('storedUsername'); state.xsrfCookie = undefined; state.isAuthenticatedCookie = undefined; localStorage.removeItem('sessionURI'); state.sessionURI = null; + state.xAuthToken = null; state.consoleWindow = false; }, }, @@ -58,6 +71,7 @@ const AuthenticationStore = { .then((response) => { commit('authSuccess', { session: response.headers['location'], + token: response.headers['x-auth-token'], }); return isPasswordExpired(response); }) -- cgit v1.2.3