Is there some special setting related to productio...
# helpr
rough-agency-88294
06/01/2023, 11:25 AMIs there some special setting related to production glue backend api related to authentication? I can't seem to see any difference in configuration but the endpoints in prod say 403 forbidden
l
little-umbrella-40933
06/01/2023, 11:33 AMWhat is the endpoint you’re trying with?
Besides the 403, there must be a response body, providing some context
🙏 1
r
rough-agency-88294
06/01/2023, 11:33 AM Copy code
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
</body>
</html>
<!-- POST <https://glue-backend.fi>.....t -->
<!-- HTTP/1.1 403 Forbidden -->
<!-- Server: awselb/2.0 -->
<!-- Date: Thu, 01 Jun 2023 10:51:44 GMT -->
<!-- Content-Type: text/html -->
<!-- Content-Length: 118 -->
<!-- Connection: keep-alive -->
<!-- Request duration: 0.407144s -->rough-agency-88294
06/01/2023, 11:34 AMthe endpoint is identical compared to our staging environment, just hostname different
l
little-umbrella-40933
06/01/2023, 11:35 AMwhat’s the endpoint (besides the host)?
r
rough-agency-88294
06/01/2023, 11:36 AMour custom endpoint, can that be relevant?
rough-agency-88294
06/01/2023, 11:36 AMcalled return-order-request, and I can't seem to find any mention from Cloudwatch that it's being called in prod, staging sure
l
little-umbrella-40933
06/01/2023, 11:38 AMAsking to understand if it’s protected or not. It would also worth checking the error logs, sometimes 403 could even be returned for internal errors, especially if you have some validators failing..
r
rough-agency-88294
06/01/2023, 11:40 AMyeah it is protected, maybe it just fails on that without any logging 🤔
rough-agency-88294
06/01/2023, 11:42 AMthat would still not explain why it is not protected on staging 🤔
l
little-umbrella-40933
06/01/2023, 11:43 AMThat could be the case!
Also important to understand how are you accessing it - via just browser vs. proper request with all headers (incl. the token)?
And you’re sure you test exactly same way on stage vs. prod (user with the right permissions, orders, etc)?
r
rough-agency-88294
06/01/2023, 11:43 AMI'm just CURLing the endpoint and switching the hostname
l
little-umbrella-40933
06/01/2023, 11:44 AMBut for protected resource you need to get the right auth token first. It won’t work if you just change the hostname. You need to authorise properly first
r
rough-agency-88294
06/01/2023, 11:45 AMyes, that would explain if it also didnẗ work on staging 😄
l
little-umbrella-40933
06/01/2023, 11:48 AMRequests from staging to protected resources won’t work on production by just changing the hostname. Just try your feature by obtaining first the auth token. Even if you do for the same user (email) - you will see it looks different.
If that what you say would work on production (use staging credentials, but just change the hostname) - I’d be seriously concerned about the security of the system 😉
r
rough-agency-88294
06/05/2023, 12:46 PMmy colleague who made this is on vacation so I'm flying blind 😄 . The endpoint is in fact not protected (currently as expected). if I actually curl the endpoint it answers because it uses HTTP/2., but not with HTTP 1.X Are there some optimizations related to this?
rough-agency-88294
06/05/2023, 12:53 PM🤔 it's not that, something weird is going on, I need to debug more..
rough-agency-88294
06/05/2023, 1:02 PMOk, seems that the user-agent header is required?