Bug #4463
closedBroken API authentication
100%
Description
Vašek Bartoš reported that the API authentication using tokens is broken. Following example curl command does not work:
curl -F "api_key=..." https://mentat-hub.cesnet.cz/mentat/api/events/search
Updated by Jan Mach almost 6 years ago
- Status changed from New to In Progress
- % Done changed from 0 to 90
After lots of research I have discovered, that the problem was in flask_principal not getting information about identity change. This was not discovered during testing, because for some reason API token authentication works after previous login/logout of the user. Problem only occurs when accessing the API using curl or similar tool, or without prior user authentication within the browser. I have found a solution in this thread:
https://github.com/mattupstate/flask-principal/issues/22#issuecomment-145897838
The attached commit should resolve the issue. I will deploy the fix to the production server.
Updated by Jan Mach almost 6 years ago
- Description updated (diff)
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
I have deployed the fix to the production server and verified it works. You may use following example command:
curl -F "api_key=..." https://mentat-hub.cesnet.cz/mentat/api/events/search?submit=Search
Please be aware, that it is required to use the HTTP GET parameter submit to actually execute the query (documented here). The reason for that is that both the API endpoint and user search form use the same underlying form code and therefore check for the press of the search button.
Updated by Jan Mach almost 6 years ago
Note: This patch is not yet part of the production package, it was however merged to the master branch and is therefore available for use cases via Git repository.