Skip to content

frontend: harden grafana against extraneous auth headers

Warren Gifford requested to merge mmolinaro/harden-grafana into main

Created by: keegancsmith

grafana will fail with {"message":"invalid API key"} if an authorization header is set. Ideally, such a header would not be set, but it may be in the case of specific proxies sitting in front of SG. In our case, we stripped the authorization header to get around this issue, but that causes issues when using token auth (like with vscode extension)

Note: This PR exists since our automation seems broken at the moment for outside contributors. See original PR here https://github.com/sourcegraph/sourcegraph/pull/37892

Test plan

  1. Set authentication header to some dummy value (I use a chrome extension for modifying headers)
  2. go to https://sourcegraph.test:3443/-/debug/grafana/ and note the {"message":"invalid API key"}
  3. Make the change present in this PR
  4. go to https://sourcegraph.test:3443/-/debug/grafana/ and note the grafana loads correctly

Co-Authored-By: @markjm

Merge request reports

Loading