Bug #4463


Broken API authentication

Added by Jan Mach about 5 years ago. Updated about 5 years ago.

Development - GUI
Target version:
Start date:
Due date:
% Done:


Estimated time:
To be discussed:


Vašek Bartoš reported that the API authentication using tokens is broken. Following example curl command does not work:

curl -F "api_key=..."
Actions #1

Updated by Jan Mach about 5 years ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 90

After lots of research I have discovered, that the problem was in flask_principal not getting information about identity change. This was not discovered during testing, because for some reason API token authentication works after previous login/logout of the user. Problem only occurs when accessing the API using curl or similar tool, or without prior user authentication within the browser. I have found a solution in this thread:

The attached commit should resolve the issue. I will deploy the fix to the production server.

Actions #2

Updated by Jan Mach about 5 years ago

  • Description updated (diff)
  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

I have deployed the fix to the production server and verified it works. You may use following example command:

curl -F "api_key=..."

Please be aware, that it is required to use the HTTP GET parameter submit to actually execute the query (documented here). The reason for that is that both the API endpoint and user search form use the same underlying form code and therefore check for the press of the search button.

Actions #3

Updated by Jan Mach about 5 years ago

Note: This patch is not yet part of the production package, it was however merged to the master branch and is therefore available for use cases via Git repository.


Also available in: Atom PDF