Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] gRPC API Has No Authentication #858

Closed
070hm opened this issue Jul 13, 2024 · 3 comments
Closed

[Bug] gRPC API Has No Authentication #858

070hm opened this issue Jul 13, 2024 · 3 comments

Comments

@070hm
Copy link

070hm commented Jul 13, 2024

The API for getting info in gRPC has no authentication at all. I can call the info through gRPC and get the result without requiring authentication, but when I call the info API, it requires authentication.

my Centrifugo configruation is

{
    "token_hmac_secret_key": "admin",
    "api_key": "admin",
    "admin_password": "admin",
    "admin_secret": "admin",
    "admin": true,
    "namespaces": [{
      "name": "personal"
  }],
    "grpc_api": true
  }

When I call the REST API localhost:8000/api/info, it requires an X-API-Key and returns a 401 Unauthorized error if the key is not provided. However, when I call the gRPC info service on localhost:10000, I can get the info without any error.

Versions

Centrifugo version is 5.4.1
Operating system is windows , docker

Steps to Reproduce

  • Run the Centrifugo Docker image with the following command: docker run --rm --ulimit nofile=262144:262144 -v C:\Users\user\centrifugo:/centrifugo --network my-net --net host -p 8000:8000 -p 10000:10000 centrifugo/centrifugo:v5 centrifugo -c config.json
  • Use Postman to call the gRPC info method without providing the authorization metadata (apiKey).
  • The call will return the info of the Centrifugo server without any error.

Expected behavior

When calling gRPC methods without providing an API key, it should return a 401 Unauthorized error
@FZambia
Copy link
Member

FZambia commented Jul 13, 2024

Hello, generally it's expected – GRPC comes without auth by default. It's possible to protect it with API key, see:

https://centrifugal.dev/docs/server/server_api#grpc-api-key-authorization

Probably the decision was like this because there was no common default way to make auth with GRPC and it runs on separate port.

It's also possible to configure mTLS - this is not very well documented at this point - but basically for Centrifugo v5 using grpc_api_tls_client_ca (path to PEM file) or grpc_api_tls_client_ca_pem (raw PEM string), with additions in #831 should become more clear.

@070hm
Copy link
Author

070hm commented Jul 13, 2024

Hello, generally it's expected – GRPC comes without auth by default. It's possible to protect it with API key, see:

https://centrifugal.dev/docs/server/server_api#grpc-api-key-authorization

Probably the decision was like this because there was no common default way to make auth with GRPC and it runs on separate port.

It's also possible to configure mTLS - this is not very well documented at this point - but basically for Centrifugo v5 using grpc_api_tls_client_ca (path to PEM file) or grpc_api_tls_client_ca_pem (raw PEM string), with additions in #831 should become more clear.

Oh, sorry, I missed adding that. I was thinking it was the same API key for the rest: grpc_api_key: admin. Thanks!

@070hm
Copy link
Author

070hm commented Jul 13, 2024

@FZambia, thanks a lot for your help. God bless you.

@070hm 070hm closed this as completed Jul 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@FZambia @070hm