frontend: harden grafana against extraneous auth headers (!38544) · Merge requests · Administrator / sourcegraph

Administrator requested to merge mmolinaro/harden-grafana into main Jul 11, 2022

Created by: keegancsmith

grafana will fail with {"message":"invalid API key"} if an authorization header is set. Ideally, such a header would not be set, but it may be in the case of specific proxies sitting in front of SG. In our case, we stripped the authorization header to get around this issue, but that causes issues when using token auth (like with vscode extension)

Note: This PR exists since our automation seems broken at the moment for outside contributors. See original PR here https://github.com/sourcegraph/sourcegraph/pull/37892

Test plan

Set authentication header to some dummy value (I use a chrome extension for modifying headers)
go to https://sourcegraph.test:3443/-/debug/grafana/ and note the {"message":"invalid API key"}
Make the change present in this PR
go to https://sourcegraph.test:3443/-/debug/grafana/ and note the grafana loads correctly

Co-Authored-By: @markjm

frontend: harden grafana against extraneous auth headers

Test plan

Merge request reports