Missing authorization header errors

[NerijusRazvodovskis]

Describe the bug
Hello, when trying to add an new device for an existing or for the newly created users, core service throws an error Missing authorization header.

To Reproduce
Steps to reproduce the behavior:

1. Go to the users.
2. Press Add new device.
3. Try to insert into the client VPN url and token brings following errors at the client side:

[2/10/2025, 11:07:59 AM][ERROR][Client] invalid args `response` for command `update_instance`: missing field `configs`
[2/10/2025, 11:08:01 AM][ERROR][Client] Failed to create device check enrollment and defguard logs, details: Missing authorization header,  Error status code: 401

4. At the proxy service it throws errors:

Feb 10 09:08:01 stage-defguard1.labas.io defguard-proxy[306435]: 2025-02-10T09:08:01.927976Z ERROR defguard_proxy::handlers: 86.106.20.24 POST /api/v1/enrollment/create_device Received an error response from the core service. | status code: 16 message: Missing authorization header || Tracing data:  http_request:

5. At the core service it throws errors:

Feb 10 09:07:59 stage-defguard1.labas.io defguard[306358]: 2025-02-10T09:07:59.256862Z  INFO defguard::grpc::enrollment: User nerijus.razvodovskis(7) is active, proceeding with enrollment
Feb 10 09:07:59 stage-defguard1.labas.io defguard[306358]: 2025-02-10T09:07:59.257071Z  INFO defguard::grpc::enrollment: Enrollment session started for user nerijus.razvodovskis(7)
Feb 10 09:07:59 stage-defguard1.labas.io defguard[306358]: 2025-02-10T09:07:59.431396Z  INFO defguard::grpc: Received message from proxy.
Feb 10 09:07:59 stage-defguard1.labas.io defguard[306358]: 2025-02-10T09:07:59.431416Z  INFO defguard::grpc::enrollment: Validating enrollment session. Token: None
Feb 10 09:07:59 stage-defguard1.labas.io defguard[306358]: 2025-02-10T09:07:59.431421Z ERROR defguard::grpc::enrollment: Missing authorization header in request
Feb 10 09:07:59 stage-defguard1.labas.io defguard[306358]: 2025-02-10T09:07:59.431426Z ERROR defguard::grpc: get network info error status: Unauthenticated, message: "Missing authorization header", details: [], metadata: MetadataMap { headers: {} }

Expected behavior
It lets to add new device for existing users or for newly created ones.

Version information

• Defguard Core version: v1.2.0
• Defguard Gateway version: v1.2.0
• Defguard Client version: v1.2.0

Actually it started to act in this way from no where, one day it was working fine, another day this happened. Perhaps we are missing something from the configuration side?

[NerijusRazvodovskis]

Am i'm right that Token is being lost somehow between Client -> Proxy -> Core communication? Since from the core service log we can see INFO defguard::grpc::enrollment: Validating enrollment session. Token: None

Or maybe it could be related with DefGuard/client#384? Since our setup is under CF aswell.

[NerijusRazvodovskis]

i just stopped to proxy it (enrollment endpoint) via CloudFlare and it started to work, so seems like it's related to the issue which i mentioned before

[t-aleksander]

Yes this is very likely the case. We'll look into it.

[audmas]

@t-aleksander maybe there is any news regarding this issue?

[t-aleksander]

@audmas Unfortunately not yet. We are quite busy with other stuff at the moment. We've put the issue on the backlog so it will be done before the version 1.3.0 (the next minor release) comes out.