403 HTTP response from requests to file paths for admin users

[jgaehring]

As we initially determined over on the forum, there is a bug in my local dev environment where I get 403 HTTP responses from requests to a file path, such as for a JPG image, but only when logged in as an admin, and as far as I can tell, only in the browser, not when requesting from Node.

Here are the request headers from such a failed request:

GET /system/files/farm/log/2023-01/IMG_1372.JPG HTTP/1.1
Accept: image/jpeg
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImp0aSI6IjEyMDlmNWM1MDczNWNiZGYxNDUxNGYyZjk3ZmY2Mjc2MGYwMGFiZDM5ODEwNGQxOTQxMGRjZTc1MTU0NDViMzFmM2MyN2QzZmE4ZTJkZmQzIn0.eyJhdWQiOiJmaWVsZGtpdCIsImp0aSI6IjEyMDlmNWM1MDczNWNiZGYxNDUxNGYyZjk3ZmY2Mjc2MGYwMGFiZDM5ODEwNGQxOTQxMGRjZTc1MTU0NDViMzFmM2MyN2QzZmE4ZTJkZmQzIiwiaWF0IjoxNjc3MTc5OTEzLCJuYmYiOjE2NzcxNzk5MTMsImV4cCI6MTY3NzE4MzUxMy45MjE5MTcsInN1YiI6IjEiLCJzY29wZSI6WyJhbm9ueW1vdXMiLCJhdXRoZW50aWNhdGVkIiwiZmFybV9tYW5hZ2VyIiwiZmFybV92aWV3ZXIiLCJmYXJtX3dvcmtlciJdfQ.uWnXp-wBuuSwpUz3viU5-uAtOs6mzJGBupPDaMTX1VM_SyqdVULbKyGxz8aE_S-czV-HIohesHztWNPsNkBGHRlAORuJlurs2-m0lSm1f2W71oTTEfwgS-f68SJYw-hmaUqLRmb7GIVxuFFk9sizteNOHhN3Cx_DJsOk1I0lLm_9LfcLbbiVQan62w1IQ9InFBq-aFCeoxg0tMa8q6s-wUIxbE2lJa6pMqlo2vxgaQ2YYBxZz1lTWIyyFnmUYT-n9yHVHOibBcofmuTGEoprJ6kalRoP-EorELJ9mFVWPotrtAIZq1mTpoQZFtuDSHbZmbh7KlAPDLE6rsx2lm1IYQ_jjtgEzfoOXdwef02dcQZrrVlCsDYyC0nVsJU-RvKJMQRrMppOBDklwaDbds3oqe9r_xD1qSfhdSiMb59BW4XBaaHeeqvn4enWnBgn5GV8zFHjxRC7KSoWUryVwvVgwcJm_TzAoRAuOLHnth3VGE6jLb-9ispKkz6NNjztHGjnSlMqaTemE9r4kqIu6KD_LdOXb0D2_Y0uZOy6aZ5avOCIYP4UQXZLcL0BUOFXKn-vRVit_ErC1HePipdWjkxj76rs3bAgRzGS3vmvpTC508fm8yYvAp_rkhlz8deVe_aDBuE6H886f-qQN-1sionTJ6019k8ld8bu9J_26btZ2_o
Connection: keep-alive
Host: localhost:8080
Referer: http://localhost:8080/observations
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
sec-ch-ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"

... and the corresponding 403 response headers:

HTTP/1.1 403 Forbidden
Access-Control-Allow-Origin: *
date: Thu, 23 Feb 2023 19:24:46 GMT
server: Apache/2.4.54 (Debian)
cache-control: must-revalidate, no-cache, private
x-ua-compatible: IE=edge
content-language: en
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
expires: Sun, 19 Nov 1978 05:00:00 GMT
x-generator: Drupal 9 (https://www.drupal.org)
connection: close
transfer-encoding: chunked
content-type: text/html; charset=UTF-8

When logged in as a non-admin user, however, it works:

@mstenta indicated that farmOS/farmOS#563 may possibly be related, though it's not clear exactly how. @symbioquine also provided a helpful testing script, which seems to work on most live farmOS instances in production, at least for non-admins:

const OAUTH2_ACCESS_TOKEN = (await fetch("https://farmos.test/oauth/token",
      { body: "grant_type=password&username=notadmin&password=test&client_id=farm&scope=farm_manager",
        credentials: 'omit',
        method: 'POST',
        headers: { 'Content-Type': 'application/x-www-form-urlencoded' } })
    .then(r => r.json())).access_token;
await fetch('https://farmos.test/system/files/farm/asset/2022-06/MF_698_tractor_24f07.JPG',
     { credentials: 'omit', headers: { 'Authorization': `Bearer ${OAUTH2_ACCESS_TOKEN}` } });

Finally, as I summed up in my last comment on the forum:

I feel pretty confident this is some combo of my local proxy settings and something to do with admin users. I'm tempted to merge my changes on the field-module-observations branch into develop so we can test it out on https://develop.farmos.app, which would eliminate any issues with the local proxy, although that will also necessitate packaging and installing the Observations module on https://test.farmos.dev or a similar live test server. But like I say, I will need to divert my attention to other issues for the next week, so perhaps that will just be a good place to pick this up again on the other side.

Unforunately, "for the next week" became the next 4 months. Since I'm finally picking this back up and aiming to achieve a bare MVP of the Observations module for release, no matter if it's buggy on edge cases, I will probably just punt on this until it becomes a major blocker in other regards.