When making a post request to /api/security/v1/login
with valid credentials, I get a 204 (empty response), and no cookie However, when I send invalid credentials, I get a 401 response.
Request
POST /api/security/v1/login HTTP/1.1
Host: DOMAN:5601
kbn-version: 6.5.4
Content-Type: application/json
Cache-Control: no-cache
{
"password": "validPassword",
"username": "validUsername"
}
Response
Status: 204 (No Content)
cache-control → no-cache
connection → close
date → Thu, 07 Feb 2019 19:45:47 GMT
kbn-name → kibana
kbn-xpack-sig → 3d56ded3222e4719c85f75a592fb4375
vary → accept-encoding
If I send incorrect credentials (password or username), I get a 401 response, which is exactly what you'd expect. If Kibana is correctly recognising credentials, I can only assume that our environment is configured correctly?
Request
POST /api/security/v1/login HTTP/1.1
Host: DOMAN:5601
kbn-version: 6.5.4
Content-Type: application/json
Cache-Control: no-cache
{
"password": "invalidPassword",
"username": "invalidUsername"
}
Response
{
"statusCode": 401,
"error": "Unauthorized",
"message": "[security_exception] unable to authenticate user [invalidUsername] for REST request [/_xpack/security/_authenticate], with { header={ WWW-Authenticate="Basic realm=\"security\" charset=\"UTF-8\"" } } :: {"path":"/_xpack/security/_authenticate","query":{},"statusCode":401,"response":"{\"error\":{\"root_cause\":[{\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [invalidUsername] for REST request [/_xpack/security/_authenticate]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}}],\"type\":\"security_exception\",\"reason\":\"unable to authenticate user [invalidUsername] for REST request [/_xpack/security/_authenticate]\",\"header\":{\"WWW-Authenticate\":\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\"}},\"status\":401}","wwwAuthenticateDirective":"Basic realm=\"security\" charset=\"UTF-8\""}"
}
QUESTION
Do you have to configure the Kibana API in some way to respond with a cookie when using this endpoint? And if so... could someone please provide an example to achieve this?
Thanks in advance
Current approach is based off of this answer...
UPDATE ONE
Have been digging around the Kibana src code and found the file that processed authentication requests to the endpoint mentioned above. Here'e the route that handles it... and I can't find any reference to a cookie being created and sent back. Am I missing something here?!
server.route({
method: 'POST',
path: '/api/security/v1/login',
config: {
auth: false,
validate: {
payload: {
username: Joi.string().required(),
password: Joi.string().required()
}
},
response: {
emptyStatusCode: 204,
}
},
async handler(request, reply) {
const { username, password } = request.payload;
try {
console.log('MY DEBUG', username, password)
const authenticationResult = await server.plugins.security.authenticate(
BasicCredentials.decorateRequest(request, username, password)
);
if (!authenticationResult.succeeded()) {
return reply(Boom.unauthorized(authenticationResult.error));
}
console.log('AUTHENTICATION SUCCEEDED, WHERES MY DAMN COOKIE?!')
const { authorization } = server.plugins.security;
if (!authorization.mode.useRbacForRequest(request)) {
const msg = `${username} relies on index privileges on the Kibana index. This is deprecated and will be removed in Kibana 7.0`;
server.log(['warning', 'deprecated', 'security'], msg);
}
return reply.continue({ credentials: authenticationResult.user });
} catch(err) {
return reply(wrapError(err));
}
}
});