GithubHelp home page GithubHelp logo

401 on metrics gathering about exportarr HOT 10 CLOSED

alexmobo avatar alexmobo commented on August 15, 2024
401 on metrics gathering

from exportarr.

Comments (10)

rtrox avatar rtrox commented on August 15, 2024 1

Yea, double-checked just to be sure, just setting the api-key results in a 401 when you have form auth enabled :-/

* Preparing request to https://radarr-form-test.redact.com/api/v3/movies
* Current time is 2023-03-14T21:47:28.677Z
* Enable automatic URL encoding
* Using default HTTP version
* Enable SSL validation
* Found bundle for host radarr-form-test.redact.com: 0x7fa9d49b60c0 [can multiplex]
* Re-using existing connection! (#42) with host radarr-form-test.redact.com
* Connected to radarr-form-test.redact.com (172.18.3.1) port 443 (#42)
* Server auth using Digest with user ''
* Using Stream ID: 9 (easy handle 0x7fa9d0981a00)

> GET /api/v3/movies HTTP/2
> Host: radarr-form-test.redact.com
> user-agent: insomnia/2022.7.5
> x-api-key: cBew50TCxrR6jRxmr1VTYGet0FcA9d7LRdXB1WZjnlp64KXla
> accept: */*

< HTTP/2 401 
< date: Tue, 14 Mar 2023 21:47:28 GMT
< content-length: 0
< strict-transport-security: max-age=15724800; includeSubDomains


* Connection #42 to host radarr-form-test.redact.com left intact

I'd be surprised if other services that use the *arr APIs as clients(prowlarr, sab, overseerr, etc) support form auth, but it's easy enough to implement, and gives me an excuse to clean up some of the auth code I wrote in the transport.

from exportarr.

onedr0p avatar onedr0p commented on August 15, 2024

Please share the exportarr, sonarr and radarr versions you are using and your configuration for exportarr.

from exportarr.

alexmobo avatar alexmobo commented on August 15, 2024
  • Radarr Version: 4.2.4.6635
  • Sonarr Version: 3.0.9.1549
  • Exportarr Version: Latest (Can only see that tag in docker image. Image was created 2022-07-03T02:31:40.312380211Z and sha256 is aa44e535500e20c7f22f802cd19496c79ae4a982e24e9677f98ed5ea8ad3784e)

Radarr Exportarr config:

    radarr-exportarr:
        image: ghcr.io/onedr0p/exportarr:latest
        container_name: radarr-exportarr
        expose:
            - "9708"
        command: radarr
        environment:
            - PORT=9708
            - URL=http://radarr:7878
            - API_KEY=xxx
            - ENABLE_ADDITIONAL_METRICS=true
            - BASIC_AUTH_USERNAME=xxx
            - BASIC_AUTH_PASSWORD=xxx
        restart: unless-stopped

Sonarr Exportarr config:

    sonarr-exportarr:
        image: ghcr.io/onedr0p/exportarr:latest
        container_name: sonarr-exportarr
        expose:
            - "9707"
        command: sonarr
        environment:
            - PORT=9707
            - URL=http://sonarr:8989
            - API_KEY=xxx
            - ENABLE_ADDITIONAL_METRICS=true
            - BASIC_AUTH_USERNAME=xxx
            - BASIC_AUTH_PASSWORD=xxx
        restart: unless-stopped

from exportarr.

onedr0p avatar onedr0p commented on August 15, 2024

I always thought the API endpoint was only protected by the apikey but it appears not?

from exportarr.

rtrox avatar rtrox commented on August 15, 2024

Spun up a test instance to put form auth on. This is the query generated by radarr when it logs in via Form Auth

curl 'https://radarr-form-test.redact.com/login?ReturnUrl=%2Fsettings%2Fgeneral' \
  -H 'authority: radarr-form-test.redact.com' \
  -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'cache-control: max-age=0' \
  -H 'content-type: application/x-www-form-urlencoded' \
  -H 'origin: https://radarr-form-test.redact.com' \
  -H 'referer: https://radarr-form-test.redact.com/login?ReturnUrl=%2Fsettings%2Fgeneral' \
  -H 'sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: document' \
  -H 'sec-fetch-mode: navigate' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-fetch-user: ?1' \
  -H 'upgrade-insecure-requests: 1' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36' \
  --data-raw 'username=asdf12345&password=asdf12345&rememberMe=on' \
  --compressed

from exportarr.

rtrox avatar rtrox commented on August 15, 2024

It then uses a token for auth:

curl 'https://radarr-form-test.redact.com/api/v3/movie' \
  -H 'authority: radarr-form-test.redact.com' \
  -H 'accept: */*' \
  -H 'accept-language: en-US,en;q=0.9' \
  -H 'cookie: RadarrAuth=CfDJ8CZeFV_jHPtEh6adz5_lLcTw2WL6DJgVf81GzoXLJyodD4xZy3FK4s7GAuoiy9NtLF5bGejogQo3bnF6RML3Frd-KjtT2fhUIu_GUHtWc6uebkx9cOES93Irov9fKDB7EyOphCaOoON8a_l2vSr52WQRTw93X8uOMj6Vjri9ehrhYPmL_oA2fEIsN8uFsyUj8j8u5LxDs9JfUv-X3rkQnkFwSdds_CoyTDLvMEKsYg4KzLayC06zqxgPptDZHO7f5Yv9PgORBoUj9WUAar_HPDXHBhy30jSQL-EVl2VQlegVr6RsUl8AIL1RrQnDlAVqtd9vnAvVBMf2BV_DYKPCh9aQt-gy3uDCvQtH_h8ITpAd6HXZu_JALUgodTdSgF4M_L3-5i-FmHrBjWTlOoSrcQ_7P0lobetzmP2YX1MpOOtY60BxCAEZxRZOVEaizJ2y1A' \
  -H 'referer: https://radarr-form-test.redact.com/' \
  -H 'sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'sec-fetch-dest: empty' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-site: same-origin' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36' \
  -H 'x-api-key: abcdef0123456789abcdef0123456789' \
  -H 'x-requested-with: XMLHttpRequest' \
  --compressed

from exportarr.

rtrox avatar rtrox commented on August 15, 2024

looks like this is the minimum needed query to retrieve a cookie:

curl -X POST --url https://radarr-form-test.redact.com/login -H 'content-type: application/x-www-form-urlencoded' --data username=asdf12345 --data password=asdf12345 --data rememberMe=on

from exportarr.

rtrox avatar rtrox commented on August 15, 2024

And this works as an API call:

curl --url https://radarr-form-test.redact.com/api/v3/movie \
    -H "cookie: RadarrAuth=CfDJ8CZeFV_jHPtEh6adz5_lLcSS11mbK18_9lrwf3FO2BhhkjRSZf5GT5e7JCKn510sJ8Zl5bK0YB0x0mbwBYj94d8PMRVD6bjYYqY2JbqM7JSFIZGYpXtYShnKVj7Gd6W8yg0awuzvfAwBf-Lu-2Cwm-amuQw89W7Z1ywsPGMy38YMxem5nO7ThvqBDChKCSR5dGxVGWdclNnqY3pqP4jylyEOmoSIsFGCl9TPSaSRspG_gxWsytWsQ0Rkb_DbnQvnjdBmZpSjgn2oWgXf5eJMmsaU6c9H0_X0EH03objO1NV5b_zxtBaK_lZLkcqzkdas0vdUhMeHZJvixOqGTRskWmAX7XQoyhzx22aJK3ysdJNaVIDKBzBjFD_VgZ9HY0jiHgU_nbY56bfilSVvOrjTPj25K_Pyaf6C4a-bCYxutaiKWc2FIZAq2DVCIYrsjBgI5w"
    -H 'x-api-key: abcdef0123456789abcdef0123456789'
    -Li

I think we still need to figure out expiration time so I can do cookie expiration management, but I think this is a reasonable start. Worst case, we can just re-auth when we get a 401

Nvm, looks like there's an expiration time set in the cookie response:

~ ❯❯❯ curl -X POST --url https://radarr-form-test.redact.com/login -H 'content-type: application/x-www-form-urlencoded' --data username=asdf12345 --data password=asdf12345 --data rememberMe=on -Li
HTTP/2 302
date: Tue, 14 Mar 2023 19:56:07 GMT
content-length: 0
cache-control: no-cache,no-store
expires: Thu, 01 Jan 1970 00:00:00 GMT
last-modified: Sat, 11 Feb 2023 18:51:05 GMT
location: /
pragma: no-cache
set-cookie: RadarrAuth=CfDJ8CZeFV_jHPtEh6adz5_lLcSS11mbK18_9lrwf3FO2BhhkjRSZf5GT5e7JCKn510sJ8Zl5bK0YB0x0mbwBYj94d8PMRVD6bjYYqY2JbqM7JSFIZGYpXtYShnKVj7Gd6W8yg0awuzvfAwBf-Lu-2Cwm-amuQw89W7Z1ywsPGMy38YMxem5nO7ThvqBDChKCSR5dGxVGWdclNnqY3pqP4jylyEOmoSIsFGCl9TPSaSRspG_gxWsytWsQ0Rkb_DbnQvnjdBmZpSjgn2oWgXf5eJMmsaU6c9H0_X0EH03objO1NV5b_zxtBaK_lZLkcqzkdas0vdUhMeHZJvixOqGTRskWmAX7XQoyhzx22aJK3ysdJNaVIDKBzBjFD_VgZ9HY0jiHgU_nbY56bfilSVvOrjTPj25K_Pyaf6C4a-bCYxutaiKWc2FIZAq2DVCIYrsjBgI5w; expires=Tue, 21 Mar 2023 19:56:07 GMT; path=/; secure; samesite=lax; httponly
x-application-version: 4.4.2.6956
strict-transport-security: max-age=15724800; includeSubDomains

Ok, I think this is enough to go on, we just need to add some sort of boolean config option to indicate that form auth is configured.

from exportarr.

onedr0p avatar onedr0p commented on August 15, 2024

Oh damn that's some good investigating. I know the arrs have been refactoring auth over the past year to help prevent people from doing stupid things, I could have sworn at one point it was only guarded by the API key.

from exportarr.

rtrox avatar rtrox commented on August 15, 2024

what's funny is, both form-auth & basic-auth still require you to set the X-Api-Key header 🤷

from exportarr.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.