dhis2-devs team mailing list archive

[Rangarirai Matavire <matavirer@xxxxxxxxx>]

Thanks Jason,

In addition, if you add the '-L' option to the 2.28 and 2.29 queries as
follows:

curl -I -L -u admin:distric -H 'Accept: application/json'
https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error
as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action


HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action


HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action


HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action


HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action


curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication and
I can also see how this can be used to diminish system performance in
general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering <
jason.p.pickering@xxxxxxxxx> wrote:

> Just to try and make it a bit more clear Morten, I think this is the issue
> Rangarai is asking about is  below:
>
> In 2.29 and 2.28, an unauthorized username/password returns a 302.
>
> curl -I -u admin:distric -H 'Accept: application/json'
> https://play.dhis2.org/2.29/api/me
> HTTP/1.1 302
> Server: nginx/1.4.6 (Ubuntu)
> Date: Sat, 21 Apr 2018 06:44:10 GMT
> Content-Length: 0
> Connection: keep-alive
> X-XSS-Protection: 1; mode=block
> X-Frame-Options: SAMEORIGIN
> X-Content-Type-Options: nosniff
> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/
> login.action
>
>
> In 2.27, this same request returns a 401.
>
> curl -I -u admin:distric -H 'Accept: application/json'
> https://play.dhis2.org/2.27/api/me
> HTTP/1.1 401
> Server: nginx/1.4.6 (Ubuntu)
> Date: Sat, 21 Apr 2018 06:44:27 GMT
> Content-Type: text/html;charset=utf-8
> Content-Length: 1071
> Connection: keep-alive
> X-XSS-Protection: 1; mode=block
> X-Frame-Options: SAMEORIGIN
> X-Content-Type-Options: nosniff
> Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;
> HttpOnly
> WWW-Authenticate: Basic realm="DHIS2"
> Content-Language: en
>
>
> On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire <matavirer@xxxxxxxxx>
> wrote:
>
>> Hi Morten,
>>
>> The password is set wrong deliberately so as to get a 401 or other
>> response. The problem is when you set the wrong password or username you
>> get endless redirects from the API.
>>
>> Regards,
>>
>>
>> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <morten@xxxxxxxxx>
>> wrote:
>>
>>> It should be district, not distric... but also people keep changing our
>>> internal passwords (our database resets every 24 hour)
>>>
>>> --
>>> Morten Olav Hansen
>>> Senior Engineer, DHIS 2
>>> University of Oslo
>>> http://www.dhis2.org
>>>
>>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire <
>>> matavirer@xxxxxxxxx> wrote:
>>>
>>>> By the way, its not just the error response code that is worrying, but
>>>> also the loop of redirects that starts, this makes it difficult to handle
>>>> the response for an http client. To see this loop of redirects, you can add
>>>> -L to curl as below.
>>>>
>>>> curl -I -L -u admin:distric -H 'Accept: application/json'
>>>> https://play.dhis2.org/2.28/api/me
>>>>
>>>> I think this behaviour should be corrected as it may lead to unexpected
>>>> behaviour of apps.
>>>>
>>>> Regards
>>>>
>>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire <
>>>> matavirer@xxxxxxxxx> wrote:
>>>>
>>>>> Hi Devs,
>>>>>
>>>>> I am wondering whether the behaviour I am seeing is a bug or something
>>>>> to be expected due to some change.
>>>>>
>>>>> When I run the following curl command:
>>>>>
>>>>> curl -I -u admin:distric -H 'Accept: application/json'
>>>>> https://play.dhis2.org/2.29/api/me
>>>>>
>>>>> I get an HTTP 302 response. Note that I have deliberately set the
>>>>> password wrong so I can mock a 401 unauthorized response. I get the same
>>>>> response when I run the command on version 2.28. However, as expected, when
>>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response.
>>>>>
>>>>> I hope someone can assist.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Ranga
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>> More help   : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
>
> --
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049
>