HTTP/1.1 401 Unauthorized

Sergiy_Chernets · April 15, 2014, 2:42am

Getting this error while trying to get sample stream data via AngularJS $http.get call()

Request URL: http://localhost:2113/streams/%24stats-127.0.0.1%3A2113?format=json
Request Method: GET
Status Code: HTTP/1.1 401 Unauthorized
Request Headers 19:35:19.000
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:28.0) Gecko/20100101 Firefox/28.0
Referer: http://localhost:63342/AngularTest/index.html
Origin: http://localhost:63342
Host: localhost:2113
Connection: keep-alive
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept: application/json, text/plain, /
Response Headers Δ1ms
WWW-Authenticate: Basic realm=“ES”,Basic realm=“ES”
Server: Microsoft-HTTPAPI/2.0
Content-Type: text/plain; charset: utf-8
Content-Length: 0
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, DELETE, GET, OPTIONS
Access-Control-Allow-Headers: Content-Type, X-Requested-With, X-PINGOTHER

I understand that according to the Doc I have to Authenticate, however passing Authorization header does not help.

Getting Request header field Authorization is not allowed by Access-Control-Allow-Headers.

Any help is tremendously appreciated!

Sergiy
<><

Joao_Braganca · April 15, 2014, 2:59am

You need admin rights to read the $all stream. You can read more about that here: https://github.com/EventStore/EventStore/wiki/HTTP-Security

Greg_Young1 · April 15, 2014, 7:54am

In general you need to be admin to read from $all unless you have changed your default acls.

Also it would be quite odd to be reading $all from a browser as it may have a LOT of events in it. What are you trying to do here?

Sergiy_Chernets · April 15, 2014, 5:54pm

Thanks for the replies guys.

I am not trying to read $all. I agree, Greg, that would be insane.

Here is some more clarification.

We are trying to create a prototype application to evaluate how, using MOM (Eventstore), we can integrate our Web based client application with our back-end system which is called Power Service. Yes the domain we are in is Power Control/Management.
So far we using in-memory Message Bus, however as we move forward with more integrations we want to move to out-of-band solution. The only approach I see for this eval app is using HTTP API (open for any other solution though)
Client side is AngularJS.
I am implementing polling solution as in JavaScript Example
The stream that I am trying to read is that sample stream of local PC stats collection. As you see in Request URL. No sure why you mention $all.
I edited ACL for that stream adding $admins to all groups.
I use default admin:changeit credentials.
When I use CURL as suggested in Docs it authenticates no problem and gives the result back
Any suggestions?

Thank s a lot!

Sergiy

<><

Greg_Young1 · April 15, 2014, 5:59pm

"

When I use CURL as suggested in Docs it authenticates no problem and gives the result back

Are there some special things that are needed with angular? That it works with curl basically says it works

Greg

jen20 · April 15, 2014, 6:00pm

Our new UI uses Angular (apparently!) -
github.com/EventStore/EventStore.UI - this might help you.

James

Joao_Braganca · April 15, 2014, 6:04pm

That was my mistake, I got lost in all that percent encoding

Sergiy_Chernets · April 15, 2014, 6:08pm

Well. That is what drives me crazy.

Not sure there is anything special about Angular.

I used $.ajax call before (as in the example) - same result.

How does one pass credentials via these calls anyways?

Using Authorization Header does not work as you see in my original post.

Thank you, Greg.

Sergiy
<><

Greg_Young1 · April 15, 2014, 6:11pm

its standard http authentication

Sergiy_Chernets · April 15, 2014, 7:14pm

Hey James,

I searched the code base for any Authentication…

So the only place it is used is in run.js and it is for testing purposes. as it says in the comments.

In fact I use the same “$http.defaults.headers.common.Authorization = 'Basic ’ + encoded;” way of doing it right before the actual call.

However it is setting Authorization header of the request that gets rejected with this message: “XMLHttpRequest cannot load http://127.0.0.1:2113/streams/%24stats-127.0.0.1%3A2113?format=json. Request header field Authorization is not allowed by Access-Control-Allow-Headers.” And looking at Response I see this: Access-Control-Allow-Headers:Content-Type, X-Requested-With, X-PINGOTHER

Seems like what it says - Authorizing this way is not allowed.

Any thoughts?

Thank you a lot!

Sergiy
<><

jen20 · April 15, 2014, 7:21pm

Hi,

That requires having built with the dev branch I think - the pull requests for CORS were made after the 3.0RC. They will be in the v3 release though.

Cheers,

James

Sergiy_Chernets · April 15, 2014, 7:27pm

Thanks James.

I’ll check it out.

Sergiy
<><

Sergiy_Chernets · April 17, 2014, 8:03pm

Just to update.

The problem with authentication seems to exist for v.2. where I do not see Authorization header in the allowed headers in the Response. (e.g. Access-Control-Allow-Headers: Content-Type, X-Requested-With, X-PINGOTHER) so passing it gives me rejection.

In v.3.0 RC2 however, I see Access-Control-Allow-Headers: Content-Type, X-Requested-With, X-PINGOTHER, Authorization and I authenticate with no problem.

Also, working on making AngularJS tweaks to Javascript polling solution since the example uses jQuery and some assumptions about the structure of the returned JSON which are not true anymore.

Thanks everyone for the help

Sergiy

<><

Deal_Andrew_O_Drew · September 27, 2017, 12:42am

Very old, but this answer has what is needed:
https://zinoui.com/blog/ajax-basic-authentication