Project

General

Profile

Actions

Bug #4463

closed

Broken API authentication

Added by Jan Mach almost 4 years ago. Updated almost 4 years ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
Development - GUI
Target version:
Start date:
11/30/2018
Due date:
% Done:

100%

Estimated time:
To be discussed:

Description

Vašek Bartoš reported that the API authentication using tokens is broken. Following example curl command does not work:

curl -F "api_key=..." https://mentat-hub.cesnet.cz/mentat/api/events/search
Actions #1

Updated by Jan Mach almost 4 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 90

After lots of research I have discovered, that the problem was in flask_principal not getting information about identity change. This was not discovered during testing, because for some reason API token authentication works after previous login/logout of the user. Problem only occurs when accessing the API using curl or similar tool, or without prior user authentication within the browser. I have found a solution in this thread:

https://github.com/mattupstate/flask-principal/issues/22#issuecomment-145897838

The attached commit should resolve the issue. I will deploy the fix to the production server.

Actions #2

Updated by Jan Mach almost 4 years ago

  • Description updated (diff)
  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

I have deployed the fix to the production server and verified it works. You may use following example command:

curl -F "api_key=..." https://mentat-hub.cesnet.cz/mentat/api/events/search?submit=Search

Please be aware, that it is required to use the HTTP GET parameter submit to actually execute the query (documented here). The reason for that is that both the API endpoint and user search form use the same underlying form code and therefore check for the press of the search button.

Actions #3

Updated by Jan Mach almost 4 years ago

Note: This patch is not yet part of the production package, it was however merged to the master branch and is therefore available for use cases via Git repository.

Actions

Also available in: Atom PDF