Failed to authenticate: Request Failed with status code 400

[aksharbarot]

Issue Title

VSCode Desktop unable to authenticate coder url.

Tried to open workspace directly

Description

Coder is working fine in Terminal. I can able to connect using manual command

ssh -v -T -D 49217 "coder-vscode--iknow--silver-greenhopper-59" bash

Version

v2.11.0+8979bf

Extensions Version: V1.0.2 / used as well V1.1.0

Steps to Reproduce

Step 1: Login to Coder URL
Step 2: Create workspace template
Step 3: Create workspace from Step 2
Step 4: Connect to vscode

Logs from vscode

No logs

Logs from "globalStorage\coder.coder-remote\log"

No logs here as well

Command line login

coder login works file when provide token

Note

Using self sign certificate
using http_proxy too

[code-asher]

How are you setting the proxy for VS Code? Using the http.proxy setting?

[aksharbarot]

Yes. It is added in settings.json

"coder.insecure": true,
"http.proxy": "http://IP:PORT",
"http.proxyAuthorization": null

at the same time when i hit enter in coder login url from extension.

I see below message in developer tool. VScode > Help > Toggle Developer Tool

But, when i manually curl -v coder url then, it does return "csrf-token"

[code-asher]

When you run cURL is it using the proxy as well? Do you get a response back for curl --proxy http://IP:PORT https://my-coder-domain/api/v2/buildinfo?

Are you able to get any logs from the proxy?

I think we need to add some better debugging on the plugin when a request fails, right now there is no good way to actually inspect the request that was made.

The CSRF error I believe can be ignored.

[aksharbarot]

Yes. I get response back when i used --proxy in curl

PS C:\Users\demo\Downloads> curl -v --proxy http://127.0.0.1:3128 https://myurl.coder.domain/api/v2/buildinfo
* Uses proxy env variable no_proxy == 'localhost'
*   Trying 127.0.0.1:3128...
* Connected to 127.0.0.1 (127.0.0.1) port 3128
* CONNECT tunnel: HTTP/1.1 negotiated
* allocate connect buffer
* Establish HTTP proxy tunnel to myurl.coder.domain:443
> CONNECT myurl.coder.domain:443 HTTP/1.1
> Host: myurl.coder.domain:443
> User-Agent: curl/8.7.1
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
< Connection: close
<
* CONNECT phase completed
* CONNECT tunnel established, response 200

I don't have proxy logs but, tcp trace shows as below,

14 3.913391 10.yyy.yyy.yyy 10.x.xxx.xxx HTTP 306 CONNECT myurl.coder.domain:443 HTTP/1.1 , NTLMSSP_NEGOTIATE
15 3.941441 10.x.xxx.xxx 10.yyy.yyy.yyy TCP 66 [TCP Window Update] 8080 → 41821 [ACK] Seq=1 Ack=1 ............
84 4.126459 10.x.xxx.xxx 10.yyy.yyy.yyy HTTP 105 HTTP/1.1 200 Connection established
85 4.138854 10.yyy.yyy.yyy 10.x.xxx.xxx TLSv1.2 583 Client Hello (SNI=myurl.coder.domain)
86 4.187255 10.x.xxx.xxx 10.yyy.yyy.yyy TLSv1.2 1314 Server Hello
87 4.187255 10.x.xxx.xxx 10.yyy.yyy.yyy TLSv1.2 902 Certificate, Server Key Exchange, Server Hello Done

tcp trace logs when using vscode coder extentions

509 11.982731 10.yyy.yyy.yyy 10.x.xxx.xxx HTTP 455 GET https://myurl.coder.domain:8080/api/v2/users/me HTTP/1.1 , NTLMSSP_NEGOTIATE
510 12.014605 10.x.xxx.xxx 10.yyy.yyy.yyy TCP 66 [TCP Window Update] 8080 → 41704 [ACK] Seq=1 Ack=1 ............
511 12.014605 10.x.xxx.xxx 10.yyy.yyy.yyy TCP 1314 8080 → 41704 [ACK] Seq=1 Ack=390 Win=99328 Len=1248 ............
512 12.014974 10.yyy.yyy.yyy 10.x.xxx.xxx TCP 66 41704 → 8080 [ACK] Seq=390 Ack=1249 Win=132096 Len=0 ...........
513 12.015057 10.x.xxx.xxx 10.yyy.yyy.yyy TCP 1314 8080 → 41704 [ACK] Seq=1249 Ack=390 Win=99328 Len=1248 .............
514 12.015057 10.x.xxx.xxx 10.yyy.yyy.yyy HTTP 613 HTTP/1.1 400 Bad Request (text/html)

[aksharbarot]

in vscode, If i change below settings,

"http.proxySupport": "fallback"

then, port 8080 is not added. but, still it fails with 400 Bad Request

176 7.115697 10.yyy.yyy.yyy 10.x.xxx.xxx HTTP 483 GET https://myurl.coder.domain/api/v2/users/me HTTP/1.1 , NTLMSSP_NEGOTIATE
177 7.142449 10.x.xxx.xxx 10.yyy.yyy.yyy TCP 66 [TCP Window Update] 8080 → 32101 [ACK] Seq=1 Ack=1 ...........
178 7.146010 10.x.xxx.xxx 10.yyy.yyy.yyy TCP 1314 8080 → 32101 [ACK] Seq=1 Ack=418 Win=99328 Len=1248 ............
179 7.146010 10.x.xxx.xxx 10.yyy.yyy.yyy TCP 1314 8080 → 32101 [ACK] Seq=1249 Ack=418 Win=99328 Len=1248 ...............
180 7.146010 10.x.xxx.xxx 10.yyy.yyy.yyy HTTP 608 HTTP/1.1 400 Bad Request (text/html)

same GET url does work from curl but, not from extension

[code-asher]

Hmmmm interesting that the CONNECT seems to be missing in the tcp trace.

One thing you could try is to update to 1.2.1 and set http.proxySupport to either on or off to make the Coder plugin use its own proxy rather than have VS Code handle it, although our support is pretty much the same as VS Code's so I doubt it would work any better, but if it does work with ours that means there could be a bug in VS Code.

Do other parts of VS Code work fine with the proxy? Like searching for extensions?

[aksharbarot]

@code-asher
searching and downloading extensions works fine and well.

No. changing, http.proxySupport didn't help.

but, wondering that why coder extension is making query to get https://myurl.coder.domain/api/v2/users/me because, It should go for authentication first.

GET https://myurl.coder.domain/api/v2/users/me HTTP/1.1
Accept: application/json, text/plain, /
Coder-Session-Token: AdBes3XXXXXXXXXXXXXXXXXXXXCYH
User-Agent: axios/1.6.8
Accept-Encoding: gzip, compress, deflate, br
host: myurl.coder.domain
Connection: close

HTTP/1.1 400 Bad Request
Cache-Control: no-cache
X-XSS-Protection: 1
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 2863
Pragma: no-cache

[aksharbarot]

I understood that GET and PUT requests are getting block.

I tried manually send GET request using axios and It is showing same error as coder extensions shows status 400.

[code-asher]

but, wondering that why coder extension is making query to get https://myurl.coder.domain/api/v2/users/me because, It should go for authentication first.

What do you mean by "go for authentication first"? We always need the user details, so we make that the first call. There is no separate auth call, we have to handle authorization for every call we make since the token can expire at any time, if that makes sense.

I understood that GET and PUT requests are getting block.

Oh interesting! Could be a proxy configuration issue then?

[jfhovinne]

@code-asher I am experiencing the same issue behind a corporate HTTP proxy, and this seems related to axios/axios#4531

Using the current extension implementation, I always get "Request failed with status code 400" while authenticating, whatever the proxy configuration I set.

I could also reproduce the issue using the following snippet:

const axios = require('axios');

axios.get('https://coder/api/v2/users/me', {
  headers: {"Coder-Session-Token": "..."},
  proxy: {
    host: "...",
    port: "...",
    protocol: "http",
    auth: {
      username: "...",
      password: "..."
    }
  }
}

)
  .then(function (response) {
    console.log(response);
  })
  .catch(function (error) {
    console.log(error);
  })
  .finally(function () {
  });

While the following - using ProxyAgent - seems to fix the issue, i.e. I get a 200 instead:

const axios = require("axios").default;
const https = require('https')
const { ProxyAgent } = require("proxy-agent");

async function call() {
  const url = "https://coder/api/v2/users/me";
  const agent = new ProxyAgent();
  const res = await axios.get(url, {
      headers: {"Coder-Session-Token": "..."},
      httpAgent:agent,
      httpsAgent:agent,
      proxy: false 
    }
  );
  console.log(res.data);
}
call();

I'll see if I can test the extension with such implementation and confirm it fixes the issue.

[code-asher]

In the first snippet there is no agent so it makes sense that it would fail. We use new ProxyAgent() when a proxy is configured (either through settings or environment variables), although depending on the value of proxySupport VS Code might override our agent with their own.

[jfhovinne]

FYI sending the example request below using the REST Client extension, with http.proxySupport set to on or override, I get a 200.

GET https://coder/api/v2/users/me
Content-Type: application/json
Coder-Session-Token: ...

[jfhovinne]

@code-asher Setting config.proxy = false in restClient.getAxiosInstance() (src/api.ts) as in my second snippet above seems to fix the issue (http.proxySupport must be set to on or off); at least I can login when behind the corporate HTTP proxy, and use the extension.

Should I make a PR?