Skip to Content
0

SAP Hana XSA: Protected route not accessible via the web module

May 09, 2017 at 11:46 AM

358

avatar image
Former Member

Hello everyone,

I try to use a node-module which makes use of JWT (passport/xsuaa) to protect the route (/api). Unfortunately, it is only partly working. The route is protected. I receive an unauthorized message when I try to access the route directly. This is fine. But when I try to access the route via the HTML5-module I get the unauthorized message as well. It seems like that the token is not forwarded correctly. What did I wrong?

Best regards,

Lukas

mta.yaml:

ID: node_tutorial
_schema-version: '2.0'
version: 0.0.1

modules:
 - name: myapp
   type: nodejs
   path: myapp
   requires:
    - name: demo_uaa  
   provides:
    - name: myapp_api
      properties:
         url: ${default-url}

 - name: web
   type: html5
   path: web
   requires: 
     - name: demo_uaa   
     - name: myapp_api
       group: destinations 
       properties: 
         name: js_api_url 
         url: ~{url}
         forwardAuthToken: true

resources:
  - name: demo_uaa
    type: com.sap.xs.uaa

start.js (Node.js Module)

"use strict";

var express = require('express');
var xsenv = require('sap-xsenv');
var passport = require('passport');
var JWTStrategy = require('sap-xssec').JWTStrategy;

var app = express();
var services = xsenv.getServices({uaa:{tag:"xsuaa"}}).uaa;

passport.use(new JWTStrategy(services.uaa));
app.use(passport.initialize());
app.use(passport.authenticate('JWT', { session: false }));

app.get('/api', function (req, res) {
  res.send('Hello World!');
});

var port = process.env.PORT || 3000;
app.listen(port, function () {
  console.log('myapp listening on port ' + port);
});

index.html (HTML 5 Module)

<!DOCTYPE HTML>
<html>
<head>
    <title>Test API</title>
</head>
<body>
    <script>
	var xhr = new XMLHttpRequest();
	xhr.open('GET', "https://********************:51081/api/", false);
	xhr.send();
  </script>
</body>
</html>

xs-app.json

{
      "welcomeFile": "index.html",
      "authenticationMethod": "route",
      "routes": [{
         "source": "^/api/(.*)$",
         "destination": "js_api_url"
    }]
}
10 |10000 characters needed characters left characters exceeded

To what module the absolute URL you are using in your index.html is pointing to? To the JS module providing your express service? If yes, this will not work, cause you have to access the service via the route path defined in the xs-app.json. The base is the URL pointing to the web module. So in your index.html it is enough to use the relative route path.

0
Former Member
Florian Pfeffer

Thx for your fast answer. Now I got the error message 500 Internal server error. What might be the reason for this error?

Now the call in the index.html now looks like this:

...
xhr.open('GET', "/api", false);
...

As the path is /api and not /api/ I adapted source of the xs-app.json as well:

...
   "routes": [{
      "source": "^/api",
      "destination": "js_api_url"
    }]
...
0

Difficult to answer w/o having more information. Did you debug the code, to check if your code is reached and at which position it aborts?

0
Former Member
Florian Pfeffer

I found the issue. Instead of passport.use(new JWTStrategy(services.uaa)); it should be passport.use(new JWTStrategy(services)); . The .uaa is already used in var services = xsenv.getServices({uaa:{tag:"xsuaa"}}).uaa;.

0

Great, thx for sharing.

0
* Please Login or Register to Answer, Follow or Comment.

0 Answers