Template download fails with message "Needs Authorization"

The .env.prod uses an empty authority string because that basically causes the URLs generated by the Api.service etc. to become relative URLs, so the client browser is what determines where the instance is running and where to actually send that relative URL request to

Okay, that makes more sense now.

Maybe the fix we need is to instead modify the backend where it handles processing the JWT token and checking the origin, and have it be ever so slightly more lenient. If it’s given an absolute URL then the authority portion must match. If it’s given a relative URL then the authority portion implicitly matches, but the rest of the URL (the path, really) still needs to match?

This fix looks more flexible and would also let you HTTPie token resources with relative URLs.

Right, .env is used for dev mode and .env.prod for full builds, which are what get packaged into the whole Cryostat OCI image when you do a mvn package.

This might explain why I can only download templates if I build the web client with yarn start:dev

Makes sense…

could we maybe add another build command in package.json that builds the web client with the dev configuration, and use that for running cryostat locally?

Maybe - I’m not sure what you mean by “for running cryostat locally” here, though. The .env.prod uses an empty authority string because that basically causes the URLs generated by the Api.service etc. to become relative URLs, so the client browser is what determines where the instance is running and where to actually send that relative URL request to. If we set the authority string to some non-empty value and package that into an OCI image then that OCI image becomes deployment-specific - it needs to have been built with an authority string that matches the scheme/host/port of where the OCI image will actually be running.

Maybe the fix we need is to instead modify the backend where it handles processing the JWT token and checking the origin, and have it be ever so slightly more lenient. If it’s given an absolute URL then the authority portion must match. If it’s given a relative URL then the authority portion implicitly matches, but the rest of the URL (the path, really) still needs to match?

Otherwise, maybe we can work around this by adding an API handler that just reports the scheme/host/port being used by the backend. This is redundant information for any client that already knows how to contact the backend server, but it could be used by the web-client on startup to initialize its authority value with the actual location of the backend it’s being served from. Or instead of adding a new API handler just for this, maybe this could simply be an extra key:value pair in the object returned by the /health handler.