dhis2-devs team mailing list archive

Thread
Date

Re: API not showing 401 Unauthorized error

To: Rangarirai Matavire <matavirer@xxxxxxxxx>
From: Morten Olav Hansen <morten@xxxxxxxxx>
Date: Mon, 23 Apr 2018 07:53:57 +0700
Cc: DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CADe21UQfGjrs87v-3MvEpSdro9wu6BJB2OqxAc-8O0x13EPkqg@mail.gmail.com>

Try and set the header "X-Requested-With" to "XMLHttpRequest"

-- 
Morten Olav Hansen
Senior Engineer, DHIS 2
University of Oslo
http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire <matavirer@xxxxxxxxx>
wrote:

> Thanks Jason,
>
> In addition, if you add the '-L' option to the 2.28 and 2.29 queries as
> follows:
>
> curl -I -L -u admin:distric -H 'Accept: application/json'
> https://play.dhis2.org/2.29/api/me
>
> You get a redirect loop which seems infinite until it terminates in error
> as follows:
>
> HTTP/1.1 302
>
> Server: nginx/1.4.6 (Ubuntu)
>
> Date: Sat, 21 Apr 2018 13:13:18 GMT
>
> Content-Length: 0
>
> Connection: keep-alive
>
> X-XSS-Protection: 1; mode=block
>
> X-Frame-Options: SAMEORIGIN
>
> X-Content-Type-Options: nosniff
>
> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/
> login.action
>
>
> HTTP/1.1 302
>
> Server: nginx/1.4.6 (Ubuntu)
>
> Date: Sat, 21 Apr 2018 13:13:18 GMT
>
> Content-Length: 0
>
> Connection: keep-alive
>
> X-XSS-Protection: 1; mode=block
>
> X-Frame-Options: SAMEORIGIN
>
> X-Content-Type-Options: nosniff
>
> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/
> login.action
>
>
> HTTP/1.1 302
>
> Server: nginx/1.4.6 (Ubuntu)
>
> Date: Sat, 21 Apr 2018 13:13:18 GMT
>
> Content-Length: 0
>
> Connection: keep-alive
>
> X-XSS-Protection: 1; mode=block
>
> X-Frame-Options: SAMEORIGIN
>
> X-Content-Type-Options: nosniff
>
> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/
> login.action
>
>
> HTTP/1.1 302
>
> Server: nginx/1.4.6 (Ubuntu)
>
> Date: Sat, 21 Apr 2018 13:13:19 GMT
>
> Content-Length: 0
>
> Connection: keep-alive
>
> X-XSS-Protection: 1; mode=block
>
> X-Frame-Options: SAMEORIGIN
>
> X-Content-Type-Options: nosniff
>
> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/
> login.action
>
>
> HTTP/1.1 302
>
> Server: nginx/1.4.6 (Ubuntu)
>
> Date: Sat, 21 Apr 2018 13:13:19 GMT
>
> Content-Length: 0
>
> Connection: keep-alive
>
> X-XSS-Protection: 1; mode=block
>
> X-Frame-Options: SAMEORIGIN
>
> X-Content-Type-Options: nosniff
>
> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/
> login.action
>
>
> curl: (47) SSLRead() return error -9806
>
> This causes bug in applications that access the api for authentication and
> I can also see how this can be used to diminish system performance in
> general.
>
> Regards,
>
> Ranga
>
> On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering <
> jason.p.pickering@xxxxxxxxx> wrote:
>
>> Just to try and make it a bit more clear Morten, I think this is the
>> issue Rangarai is asking about is  below:
>>
>> In 2.29 and 2.28, an unauthorized username/password returns a 302.
>>
>> curl -I -u admin:distric -H 'Accept: application/json'
>> https://play.dhis2.org/2.29/api/me
>> HTTP/1.1 302
>> Server: nginx/1.4.6 (Ubuntu)
>> Date: Sat, 21 Apr 2018 06:44:10 GMT
>> Content-Length: 0
>> Connection: keep-alive
>> X-XSS-Protection: 1; mode=block
>> X-Frame-Options: SAMEORIGIN
>> X-Content-Type-Options: nosniff
>> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.
>> action
>>
>>
>> In 2.27, this same request returns a 401.
>>
>> curl -I -u admin:distric -H 'Accept: application/json'
>> https://play.dhis2.org/2.27/api/me
>> HTTP/1.1 401
>> Server: nginx/1.4.6 (Ubuntu)
>> Date: Sat, 21 Apr 2018 06:44:27 GMT
>> Content-Type: text/html;charset=utf-8
>> Content-Length: 1071
>> Connection: keep-alive
>> X-XSS-Protection: 1; mode=block
>> X-Frame-Options: SAMEORIGIN
>> X-Content-Type-Options: nosniff
>> Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;
>> HttpOnly
>> WWW-Authenticate: Basic realm="DHIS2"
>> Content-Language: en
>>
>>
>> On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire <matavirer@xxxxxxxxx
>> > wrote:
>>
>>> Hi Morten,
>>>
>>> The password is set wrong deliberately so as to get a 401 or other
>>> response. The problem is when you set the wrong password or username you
>>> get endless redirects from the API.
>>>
>>> Regards,
>>>
>>>
>>> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <morten@xxxxxxxxx>
>>> wrote:
>>>
>>>> It should be district, not distric... but also people keep changing our
>>>> internal passwords (our database resets every 24 hour)
>>>>
>>>> --
>>>> Morten Olav Hansen
>>>> Senior Engineer, DHIS 2
>>>> University of Oslo
>>>> http://www.dhis2.org
>>>>
>>>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire <
>>>> matavirer@xxxxxxxxx> wrote:
>>>>
>>>>> By the way, its not just the error response code that is worrying, but
>>>>> also the loop of redirects that starts, this makes it difficult to handle
>>>>> the response for an http client. To see this loop of redirects, you can add
>>>>> -L to curl as below.
>>>>>
>>>>> curl -I -L -u admin:distric -H 'Accept: application/json'
>>>>> https://play.dhis2.org/2.28/api/me
>>>>>
>>>>> I think this behaviour should be corrected as it may lead to
>>>>> unexpected behaviour of apps.
>>>>>
>>>>> Regards
>>>>>
>>>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire <
>>>>> matavirer@xxxxxxxxx> wrote:
>>>>>
>>>>>> Hi Devs,
>>>>>>
>>>>>> I am wondering whether the behaviour I am seeing is a bug or
>>>>>> something to be expected due to some change.
>>>>>>
>>>>>> When I run the following curl command:
>>>>>>
>>>>>> curl -I -u admin:distric -H 'Accept: application/json'
>>>>>> https://play.dhis2.org/2.29/api/me
>>>>>>
>>>>>> I get an HTTP 302 response. Note that I have deliberately set the
>>>>>> password wrong so I can mock a 401 unauthorized response. I get the same
>>>>>> response when I run the command on version 2.28. However, as expected, when
>>>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response.
>>>>>>
>>>>>> I hope someone can assist.
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Ranga
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-devs
>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>>
>> --
>> Jason P. Pickering
>> email: jason.p.pickering@xxxxxxxxx
>> tel:+46764147049
>>
>
>

Follow ups

Re: API not showing 401 Unauthorized error
From: Jason Pickering, 2018-04-23

References

API not showing 401 Unauthorized error
From: Rangarirai Matavire, 2018-04-18
Re: API not showing 401 Unauthorized error
From: Rangarirai Matavire, 2018-04-20
Re: API not showing 401 Unauthorized error
From: Morten Olav Hansen, 2018-04-20
Re: API not showing 401 Unauthorized error
From: Rangarirai Matavire, 2018-04-20
Re: API not showing 401 Unauthorized error
From: Jason Pickering, 2018-04-21
Re: API not showing 401 Unauthorized error
From: Rangarirai Matavire, 2018-04-21