dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #51082
Re: API not showing 401 Unauthorized error
Hi Morten,
I am going to persist here, as its still not clear to me what has changed
in the API.
Ranga documents that the API behavior has changed when trying to access
/api/me with basic authentication. It has changed from a 401 to a 302. This
also breaks the API tests (
https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)
which also expects a 401. This is all fine, but could you provide a bit
more context on the change in behavior and whether this is expected?
Regards,
Jason
On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen <morten@xxxxxxxxx>
wrote:
> Try and set the header "X-Requested-With" to "XMLHttpRequest"
>
> --
> Morten Olav Hansen
> Senior Engineer, DHIS 2
> University of Oslo
> http://www.dhis2.org
>
> On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire <matavirer@xxxxxxxxx>
> wrote:
>
>> Thanks Jason,
>>
>> In addition, if you add the '-L' option to the 2.28 and 2.29 queries as
>> follows:
>>
>> curl -I -L -u admin:distric -H 'Accept: application/json'
>> https://play.dhis2.org/2.29/api/me
>>
>> You get a redirect loop which seems infinite until it terminates in error
>> as follows:
>>
>> HTTP/1.1 302
>>
>> Server: nginx/1.4.6 (Ubuntu)
>>
>> Date: Sat, 21 Apr 2018 13:13:18 GMT
>>
>> Content-Length: 0
>>
>> Connection: keep-alive
>>
>> X-XSS-Protection: 1; mode=block
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> X-Content-Type-Options: nosniff
>>
>> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.
>> action
>>
>>
>> HTTP/1.1 302
>>
>> Server: nginx/1.4.6 (Ubuntu)
>>
>> Date: Sat, 21 Apr 2018 13:13:18 GMT
>>
>> Content-Length: 0
>>
>> Connection: keep-alive
>>
>> X-XSS-Protection: 1; mode=block
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> X-Content-Type-Options: nosniff
>>
>> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.
>> action
>>
>>
>> HTTP/1.1 302
>>
>> Server: nginx/1.4.6 (Ubuntu)
>>
>> Date: Sat, 21 Apr 2018 13:13:18 GMT
>>
>> Content-Length: 0
>>
>> Connection: keep-alive
>>
>> X-XSS-Protection: 1; mode=block
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> X-Content-Type-Options: nosniff
>>
>> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.
>> action
>>
>>
>> HTTP/1.1 302
>>
>> Server: nginx/1.4.6 (Ubuntu)
>>
>> Date: Sat, 21 Apr 2018 13:13:19 GMT
>>
>> Content-Length: 0
>>
>> Connection: keep-alive
>>
>> X-XSS-Protection: 1; mode=block
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> X-Content-Type-Options: nosniff
>>
>> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.
>> action
>>
>>
>> HTTP/1.1 302
>>
>> Server: nginx/1.4.6 (Ubuntu)
>>
>> Date: Sat, 21 Apr 2018 13:13:19 GMT
>>
>> Content-Length: 0
>>
>> Connection: keep-alive
>>
>> X-XSS-Protection: 1; mode=block
>>
>> X-Frame-Options: SAMEORIGIN
>>
>> X-Content-Type-Options: nosniff
>>
>> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.
>> action
>>
>>
>> curl: (47) SSLRead() return error -9806
>>
>> This causes bug in applications that access the api for authentication
>> and I can also see how this can be used to diminish system performance in
>> general.
>>
>> Regards,
>>
>> Ranga
>>
>> On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering <
>> jason.p.pickering@xxxxxxxxx> wrote:
>>
>>> Just to try and make it a bit more clear Morten, I think this is the
>>> issue Rangarai is asking about is below:
>>>
>>> In 2.29 and 2.28, an unauthorized username/password returns a 302.
>>>
>>> curl -I -u admin:distric -H 'Accept: application/json'
>>> https://play.dhis2.org/2.29/api/me
>>> HTTP/1.1 302
>>> Server: nginx/1.4.6 (Ubuntu)
>>> Date: Sat, 21 Apr 2018 06:44:10 GMT
>>> Content-Length: 0
>>> Connection: keep-alive
>>> X-XSS-Protection: 1; mode=block
>>> X-Frame-Options: SAMEORIGIN
>>> X-Content-Type-Options: nosniff
>>> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.
>>> action
>>>
>>>
>>> In 2.27, this same request returns a 401.
>>>
>>> curl -I -u admin:distric -H 'Accept: application/json'
>>> https://play.dhis2.org/2.27/api/me
>>> HTTP/1.1 401
>>> Server: nginx/1.4.6 (Ubuntu)
>>> Date: Sat, 21 Apr 2018 06:44:27 GMT
>>> Content-Type: text/html;charset=utf-8
>>> Content-Length: 1071
>>> Connection: keep-alive
>>> X-XSS-Protection: 1; mode=block
>>> X-Frame-Options: SAMEORIGIN
>>> X-Content-Type-Options: nosniff
>>> Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;
>>> HttpOnly
>>> WWW-Authenticate: Basic realm="DHIS2"
>>> Content-Language: en
>>>
>>>
>>> On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire <
>>> matavirer@xxxxxxxxx> wrote:
>>>
>>>> Hi Morten,
>>>>
>>>> The password is set wrong deliberately so as to get a 401 or other
>>>> response. The problem is when you set the wrong password or username you
>>>> get endless redirects from the API.
>>>>
>>>> Regards,
>>>>
>>>>
>>>> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <morten@xxxxxxxxx>
>>>> wrote:
>>>>
>>>>> It should be district, not distric... but also people keep changing
>>>>> our internal passwords (our database resets every 24 hour)
>>>>>
>>>>> --
>>>>> Morten Olav Hansen
>>>>> Senior Engineer, DHIS 2
>>>>> University of Oslo
>>>>> http://www.dhis2.org
>>>>>
>>>>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire <
>>>>> matavirer@xxxxxxxxx> wrote:
>>>>>
>>>>>> By the way, its not just the error response code that is worrying,
>>>>>> but also the loop of redirects that starts, this makes it difficult to
>>>>>> handle the response for an http client. To see this loop of redirects, you
>>>>>> can add -L to curl as below.
>>>>>>
>>>>>> curl -I -L -u admin:distric -H 'Accept: application/json'
>>>>>> https://play.dhis2.org/2.28/api/me
>>>>>>
>>>>>> I think this behaviour should be corrected as it may lead to
>>>>>> unexpected behaviour of apps.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire <
>>>>>> matavirer@xxxxxxxxx> wrote:
>>>>>>
>>>>>>> Hi Devs,
>>>>>>>
>>>>>>> I am wondering whether the behaviour I am seeing is a bug or
>>>>>>> something to be expected due to some change.
>>>>>>>
>>>>>>> When I run the following curl command:
>>>>>>>
>>>>>>> curl -I -u admin:distric -H 'Accept: application/json'
>>>>>>> https://play.dhis2.org/2.29/api/me
>>>>>>>
>>>>>>> I get an HTTP 302 response. Note that I have deliberately set the
>>>>>>> password wrong so I can mock a 401 unauthorized response. I get the same
>>>>>>> response when I run the command on version 2.28. However, as expected, when
>>>>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response.
>>>>>>>
>>>>>>> I hope someone can assist.
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Ranga
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>>>> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>>>> More help : https://help.launchpad.net/ListHelp
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>> More help : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>>
>>>
>>> --
>>> Jason P. Pickering
>>> email: jason.p.pickering@xxxxxxxxx
>>> tel:+46764147049
>>>
>>
>>
>
--
Jason P. Pickering
email: jason.p.pickering@xxxxxxxxx
tel:+46764147049
Follow ups
References