IPFS Authentication Error 403 - Forbidden

Adamus · August 10, 2022, 10:06pm

Any update on this ? We still get 403 - Forbidden

jath · August 10, 2022, 10:09pm

Do you mind explaining this? I’ve never faced this type of problem before and am still learning about API requests

Adamus · August 10, 2022, 10:20pm

Disable the user-agent blocker.

jath · August 10, 2022, 10:28pm

how would you do that?

jaimiedaly · August 10, 2022, 11:01pm

I was able to get around this in my Remix application by setting up a backend api route and pinging that and essentially using the same calls above looks like this is broken in the browser

timmy161 · August 10, 2022, 11:15pm

Unfortunately this broke at the worst possible time for me. Would this work if I set up a backend, have to probably use python backend in my case.

jmor · August 11, 2022, 12:36am

Having the same issue…

We are making the API call from the browser so the user-agent/origin headers are both already being sent and we have no way to alter this behavior without introducing a backend.

It seems like according to that github issue that the IPFS node needs to be configured to accept alternative origins

Thanks in advance and let me know if there is something else I can try

gbzon · August 11, 2022, 1:49am

It’s returning 403 with this exact code. Was working fine yesterday, today it’s broken for authorized and unauthorized, everything pretty much stopped uploading

chris.paterson · August 11, 2022, 3:32am

Hi,

It seems that the reason for most people in this thread have problems is due to this:

github.com/ipfs/kubo

IPFS API rejects HTTP-queries with `User-Agent: Mozilla` but accepts `User-Agent: IE` and other random string

opened 04:18PM - 04 Nov 21 UTC

closed 08:51PM - 03 Dec 21 UTC

dogada

kind/bug need/triage

### Checklist - [X] This is a bug report, not a question. Ask questions on [dis…cuss.ipfs.io](https://discuss.ipfs.io). - [X] I have searched on the [issue tracker](https://github.com/ipfs/go-ipfs/issues?q=is%3Aissue) for my bug. - [X] I am running the latest [go-ipfs version](https://dist.ipfs.io/#go-ipfs) or have an issue updating. ### Installation method third-party binary ### Version ```Text go-ipfs version: 0.10.0-64b532f Repo version: 11 System version: amd64/linux Golang version: go1.16.7 ``` ### Config ```json { "API": { "HTTPHeaders": {} }, "Addresses": { "API": "/ip4/0.0.0.0/tcp/5001", "Announce": [], "Gateway": "/ip4/0.0.0.0/tcp/8080", "NoAnnounce": [], "Swarm": [ "/ip4/0.0.0.0/tcp/4001", "/ip6/::/tcp/4001", "/ip4/0.0.0.0/udp/4001/quic", "/ip6/::/udp/4001/quic" ] }, "AutoNAT": {}, "Bootstrap": [ "/dnsaddr/bootstrap.libp2p.io/p2p/QmcZf59bWwK5XFi76CZX8cbJ4BhTzzA3gU1ZjYZcYW3dwt", "/ip4/104.131.131.82/tcp/4001/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ", "/ip4/104.131.131.82/udp/4001/quic/p2p/QmaCpDMGvV2BGHeYERUEnRQAwe3N8SzbUtfsmvsqQLuvuJ", "/dnsaddr/bootstrap.libp2p.io/p2p/QmNnooDu7bfjPFoTZYxMNLWUQJyrVwtbZg5gBMjTezGAJN", "/dnsaddr/bootstrap.libp2p.io/p2p/QmQCU2EcMqAqQPR2i9bChDtGNJchTbq5TbXJJ16u19uLTa", "/dnsaddr/bootstrap.libp2p.io/p2p/QmbLHAnMoJPWSCR5Zhtx6BHJX9KiKNN6tpvbUcqanj75Nb" ], "DNS": { "Resolvers": {} }, "Datastore": { "BloomFilterSize": 0, "GCPeriod": "1h", "HashOnRead": false, "Spec": { "mounts": [ { "child": { "path": "blocks", "shardFunc": "/repo/flatfs/shard/v1/next-to-last/2", "sync": true, "type": "flatfs" }, "mountpoint": "/blocks", "prefix": "flatfs.datastore", "type": "measure" }, { "child": { "compression": "none", "path": "datastore", "type": "levelds" }, "mountpoint": "/", "prefix": "leveldb.datastore", "type": "measure" } ], "type": "mount" }, "StorageGCWatermark": 90, "StorageMax": "10GB" }, "Discovery": { "MDNS": { "Enabled": true, "Interval": 10 } }, "Experimental": { "AcceleratedDHTClient": false, "FilestoreEnabled": false, "GraphsyncEnabled": false, "Libp2pStreamMounting": false, "P2pHttpProxy": false, "ShardingEnabled": false, "StrategicProviding": false, "UrlstoreEnabled": false }, "Gateway": { "APICommands": [], "HTTPHeaders": { "Access-Control-Allow-Headers": [ "X-Requested-With", "Range", "User-Agent" ], "Access-Control-Allow-Methods": [ "GET" ], "Access-Control-Allow-Origin": [ "*" ] }, "NoDNSLink": false, "NoFetch": false, "PathPrefixes": [], "PublicGateways": null, "RootRedirect": "", "Writable": false }, "Identity": { "PeerID": "12D3KooWG7aHXhaD7Ns9aDEmmekabokzwAwK6AB4Y8LMrQgmTtZz" }, "Internal": {}, "Ipns": { "RecordLifetime": "", "RepublishPeriod": "", "ResolveCacheSize": 128 }, "Migration": { "DownloadSources": [], "Keep": "" }, "Mounts": { "FuseAllowOther": false, "IPFS": "/ipfs", "IPNS": "/ipns" }, "Peering": { "Peers": null }, "Pinning": { "RemoteServices": {} }, "Plugins": { "Plugins": null }, "Provider": { "Strategy": "" }, "Pubsub": { "DisableSigning": false, "Router": "" }, "Reprovider": { "Interval": "12h", "Strategy": "all" }, "Routing": { "Type": "dht" }, "Swarm": { "AddrFilters": null, "ConnMgr": { "GracePeriod": "20s", "HighWater": 900, "LowWater": 600, "Type": "basic" }, "DisableBandwidthMetrics": false, "DisableNatPortMap": false, "EnableAutoRelay": false, "EnableRelayHop": false, "Transports": { "Multiplexers": {}, "Network": {}, "Security": {} } } } ``` ### Description I try to connect to IPFS daemon from Chrome browser and I found that default IPFS installation rejects queries when user agent is set to 'Mozilla' but accepts if user-agent is IE or other random string? I understand when requests are blocked by CORS policy, but what the reason to block Mozilla? Do you have any example of config that allows to accept XHR-queries from browser? ``` $ curl 'http://localhost:5001/api/v0/version' -X 'POST' -H 'User-Agent: Mozilla' 403 - Forbidden $ curl 'http://localhost:5001/api/v0/version' -X 'POST' -H 'User-Agent: IE ()' {"Version":"0.10.0","Commit":"64b532f","Repo":"11","System":"amd64/linux","Golang":"go1.16.7"} $ curl 'http://localhost:5001/api/v0/version' -X 'POST' -H 'User-Agent: IE random string' {"Version":"0.10.0","Commit":"64b532f","Repo":"11","System":"amd64/linux","Golang":"go1.16.7"} ```

If I’m summarising the problem correctly -
Browsers (basically all of which send “Mozilla” as part of their User Agent header) always send an Origin header according to the spec. Correspondingly the go-ifps node looks for this Origin header when it thinks it’s a browser as the client. This seems to be new behaviour (some people above have been authenticating for months OK). go-ipfs does not insist on the Origin header if the User Agent does not contain Mozilla (indicating the client is not a browser.)

If you are accessing the IPFS API from within a browser, then Origin should be sent for you. Your problem may be elsewhere if you are still getting 403.

If you are using curl or code outside of a browser you should not need to send an Origin header. If you do send the Origin header, don’t include Mozilla in the string.

I hope that’s correct, I’ll do some testing. If you still have trouble please send your code, especially the headers you are sending with your request.

nmaddp1995 · August 11, 2022, 4:22am

Is there anyway to by pass this issue (any option in ipfs-http-client lib for example).
This is my code that work before

  const authorization =
      'Basic ' +
      btoa(process.env.NEXT_PUBLIC_IPFS_INFURA_PROJECT_ID + ':' + process.env.NEXT_PUBLIC_IPFS_INFURA_PROJECT_SECRET);
    const ipfs: IPFSHTTPClient = create({
      url: `${process.env.NEXT_PUBLIC_IPFS_INFURA_ENDPOINT}/api/v0`,
      headers: {
        authorization,
      },
    });

chris.paterson · August 11, 2022, 5:35am

Hi nmaddp1995,

I think the correct way to pass the authentication header is like this:
headers: {
authorization: authorization,
},

You need an authorization key, then the header itself you are building further up as well.

Does that work for you?

traian.vila · August 11, 2022, 5:46am

you can pass a custom user-agent like this:

headers: {
authorization: auth,
“User-Agent”: “foobar”
}

The problem is that Chrome ignores it, it seems to work in other browsers.

philvms · August 11, 2022, 5:52am

so this is on go-ipfs side? how is this resolved? I’m running chrome and sending the requests from my browser and following the recommended solution for the authentication

aneesha_kota · August 11, 2022, 5:58am

Doesn’t work for me on Edge. The user-agent is still being “mozilla”

Here is my code:

import { create as ipfsHttpClient } from "ipfs-http-client";

const auth = "Basic " + Buffer.from(projectId + ":" + projectSecret).toString("base64");
const client = ipfsHttpClient({
    host: "ipfs.infura.io",
    port: 5001,
    protocol: "https",
    apiPath: "/api/v0",
    headers: {
      authorization: auth,
      "Access-Control-Allow-Origin": ["*"],
      Origin: "https://ipfs.infura.io:5001",
      "User-Agent": "foo"
    },
});

client.pin.add(file) gives 403 forbidden error

ccc_d · August 11, 2022, 6:19am

I met the same issue Is there a way to solve this problem?

ccc_d · August 11, 2022, 6:27am

It’s working for me. Thanks

nmaddp1995 · August 11, 2022, 6:42am

How did you change, i set user agent but chrome still set it to mozila

nmaddp1995 · August 11, 2022, 6:42am

yeah, i try it but it still show 403 error in chrome browser

philvms · August 11, 2022, 6:42am

so I tried this in safari. Overwriting user agent appears to work. But it does not work in chrome and I suspect all chromium browsers (tried in Brave as well). so the latest go-ipfs update basically breaks all web3 applications that relies on accessing ifps through browser?

nmaddp1995 · August 11, 2022, 6:57am

I thought you guys should revert what’s just get merged or something else because it affects a lot of customer that is using this function on chrome