Trouble getting custom key to work

Trung_Vu · August 15, 2024, 4:41pm

I’m trying to import some custom keys into Tyk, but I’m having trouble making it work due to the way Tyk encodes keys.

Here’s what my request looks like:

curl -X 'POST'   'http://34.54.142.43/blah' \
  -H 'accept: application/json'  \
  -H 'api_key: abc'  \
  -H 'Content-Type: application/json'   -d '{
  "arg1": [
    "string"
  ],
  "arg2": "string"
}'

where api_key contains my API key.

When I import this key using:

curl --location --request POST "http://$TYK_STATIC_IP/tyk/keys/abc" \
--header "x-tyk-authorization: $TYK_SECRET" \
--header "Content-Type: application/json" \
--data '{ "apply_policy_id": "internal"}'

I get back a base64 encoding of a JSON containing org_id, key_id, and hash_algo, e.g. eyJvcmciOiIiLCJpZCI6ImFiYyIsImgiOiJtdXJtdXIxMjgifQ==.

But then the above call using “abc” doesn’t work and I need to use “eyJvcmciOiIiLCJpZCI6ImFiYyIsImgiOiJtdXJtdXIxMjgifQ==”.

I want to use “abc”, as this is the key we pass to customers.

Andy_O · August 16, 2024, 8:29am

Hi @Trung_Vu,

Thanks for using Tyk!

We haven’t managed to reproduce this immediately so will need some more information to investigate further.

Would you please share your Gateway configuration - tyk.conf - (obfuscating any identifiable fields)?

Which version of Redis are you using?

Thanks.

Trung_Vu · August 19, 2024, 8:08pm

Hi Andy,

Thanks for the help. I’m using Tyk-OSS with Helm. I’m using tyk-oss 1.6.0 chart and redis 20.0.1 chart.

Here’s my Helm config:

  tyk-gateway:
    gateway:
      replicaCount: 1
      service:
        type: LoadBalancer
        port: 8080
        annotations:
          cloud.google.com/load-balancer-type: "External"
          networking.gke.io/load-balancer-ip-addresses: "tyk-static"
          cloud.google.com/l4-rbs: "enabled"
        nodeSelector:
          snapshot.storage.kubernetes.io/schedule: "0 * * * *"  # Hourly snapshots
          snapshot.storage.kubernetes.io/snapshot-class-name: "tyk-gce-pd-snapshot-class-14-day"
      hashKeyFunction: ""
      extraEnvs:
        - name: TYK_GW_ENABLEHASHEDKEYSLISTING
          value: "true"
  tyk-dashboard:
    enabled: false
  tyk-pump:
    enabled: false
  global:
    redis:
      pass: "" 
    secrets:
      APISecret: ""
    hashKeys: true

Here’s internal-policy.json

{
  "id": "internal",
  "quota_max": 1000000000000000,
  "quota_remaining": 1000000000000000, 
  "quota_renewal_rate": 60,
  "allowance": 1000000000000000,
  "rate": 1000000000000000,
  "per": 1,
  "expires": 0,
  "access_rights": {
    "bespokelabs": {
      "allowed_urls": [
        {
          "url": "/docs",
          "methods": ["GET"]
        },
        {
          "url": "/v0/argus/factcheck",
          "methods": ["POST"]
        }
      ]
    }
  }
}

And here’s our OpenAPI definition:

{
  "components": {
    "schemas": {
      "FactCheckRequest": {
        "properties": {
          "claim": {
            "description": "The claim to be fact-checked",
            "title": "Claim",
            "type": "string"
          },
          "contexts": {
            "items": {
              "type": "string"
            },
            "title": "Contexts",
            "type": "array"
          }
        },
        "required": [
          "contexts",
          "claim"
        ],
        "title": "FactCheckRequest",
        "type": "object"
      },
      "FactCheckResponse": {
        "properties": {
          "claim_supported_by_contexts": {
            "items": {
              "type": "number"
            },
            "title": "Claim Supported By Contexts",
            "type": "array"
          }
        },
        "required": [
          "claim_supported_by_contexts"
        ],
        "title": "FactCheckResponse",
        "type": "object"
      },
      "HTTPValidationError": {
        "properties": {
          "detail": {
            "items": {
              "$ref": "#/components/schemas/ValidationError"
            },
            "title": "Detail",
            "type": "array"
          }
        },
        "title": "HTTPValidationError",
        "type": "object"
      },
      "ValidationError": {
        "properties": {
          "loc": {
            "items": {
              "anyOf": [
                {
                  "type": "string"
                },
                {
                  "type": "integer"
                }
              ]
            },
            "title": "Location",
            "type": "array"
          },
          "msg": {
            "title": "Message",
            "type": "string"
          },
          "type": {
            "title": "Error Type",
            "type": "string"
          }
        },
        "required": [
          "loc",
          "msg",
          "type"
        ],
        "title": "ValidationError",
        "type": "object"
      }
    },
    "securitySchemes": {
      "APIKeyHeader": {
        "in": "header",
        "name": "api_key",
        "type": "apiKey"
      }
    }
  },
  "info": {
    "title": "Argus",
    "version": "0.0.2"
  },
  "openapi": "3.0.3",
  "paths": {
    "/v0/argus/factcheck": {
      "post": {
        "operationId": "factcheck_v0_argus_factcheck_post",
        "requestBody": {
          "content": {
            "application/json": {
              "schema": {
                "$ref": "#/components/schemas/FactCheckRequest"
              }
            }
          },
          "required": true
        },
        "responses": {
          "200": {
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/FactCheckResponse"
                }
              }
            },
            "description": "Successful Response"
          },
          "422": {
            "content": {
              "application/json": {
                "schema": {
                  "$ref": "#/components/schemas/HTTPValidationError"
                }
              }
            },
            "description": "Validation Error"
          }
        },
        "security": [
          {
            "APIKeyHeader": []
          }
        ],
        "summary": "Factcheck"
      }
    }
  },
  "servers": [
    {
      "url": "http://127.0.0.1:8080/"
    },
    {
      "description": "Production server",
      "url": "http://127.0.0.0"
    }
  ],
  "security": [
    {
      "APIKeyHeader": []
    }
  ],
  "x-tyk-api-gateway": {
    "info": {
      "id": "bespokelabs",
      "name": "Argus",
      "state": {
        "active": true
      }
    },
    "upstream": {
      "url": "http://127.0.0.0"
    },
    "server": {
      "listenPath": {
        "value": "/",
        "strip": true
      },
      "authentication": {
        "securitySchemes": {
          "APIKeyHeader": {
            "enabled": true
          }
        },
        "enabled": true
      }
    },
    "middleware": {
      "global": {
        "contextVariables": {
          "enabled": true
        },
        "trafficLogs": {
          "enabled": true
        }
      },
      "operations": {
        "factcheck_v0_argus_factcheck_post": {
            "rateLimit": {
                "enabled": true,
                "rate": 100,
                "per": "1s"
            }
        }
      }
    }
  }

Trung_Vu · August 22, 2024, 3:22pm

Any updates on this? Thanks!

Ubong · August 26, 2024, 11:15am

Hi @Trung_Vu,

Thank you for your patience.

You should include the org_id in the request to make the custom key. It would be great for the policy, internal-policy.json, to set an org_id as well.

The “apply_policy_id” field is deprecated - please use “apply_policies” instead. Please see about the session object.
Also please use custom keys of character length greater than 4 (e.g abcde) as some hashing algorithms could experience collisions for short tokens. (internal refs: TT-7181, SO)

Hope this helps.