dhis2-devs team mailing list archive

Thread
Date

Re: API not showing 401 Unauthorized error

To: Jason Pickering <jason.p.pickering@xxxxxxxxx>
From: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
Date: Mon, 23 Apr 2018 11:36:24 +0200
Cc: DHIS 2 Developers list <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CADsNmhtak4J5oRhz9dbZCpgDbTYudFFvyc-KgGVwCYsgRr0MdQ@mail.gmail.com>

Hi Jason

I am not sure that this is all fine.  It looks to me like this is a
bug which has slipped in and that the original 401 response is the
correct expected behaviour.  API users using pre-emptive basic
authentication have no good reason to be redirected to the login page
with invalid credentials.

Regards
Bob

On 23 April 2018 at 09:46, Jason Pickering <jason.p.pickering@xxxxxxxxx> wrote:
> Hi Morten,
>
> I am going to persist here, as its still not clear to me what has changed in
> the API.
>
> Ranga documents that the API behavior has changed when trying to access
> /api/me with basic authentication. It has changed from a 401 to a 302. This
> also breaks the API tests
> (https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)
> which also expects a 401. This is all fine, but could you provide a bit more
> context on the change in behavior and whether this is expected?
>
> Regards,
> Jason
>
>
>
>
> On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen <morten@xxxxxxxxx>
> wrote:
>>
>> Try and set the header "X-Requested-With" to "XMLHttpRequest"
>>
>> --
>> Morten Olav Hansen
>> Senior Engineer, DHIS 2
>> University of Oslo
>> http://www.dhis2.org
>>
>> On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire <matavirer@xxxxxxxxx>
>> wrote:
>>>
>>> Thanks Jason,
>>>
>>> In addition, if you add the '-L' option to the 2.28 and 2.29 queries as
>>> follows:
>>>
>>> curl -I -L -u admin:distric -H 'Accept: application/json'
>>> https://play.dhis2.org/2.29/api/me
>>>
>>>
>>> You get a redirect loop which seems infinite until it terminates in error
>>> as follows:
>>>
>>> HTTP/1.1 302
>>>
>>> Server: nginx/1.4.6 (Ubuntu)
>>>
>>> Date: Sat, 21 Apr 2018 13:13:18 GMT
>>>
>>> Content-Length: 0
>>>
>>> Connection: keep-alive
>>>
>>> X-XSS-Protection: 1; mode=block
>>>
>>> X-Frame-Options: SAMEORIGIN
>>>
>>> X-Content-Type-Options: nosniff
>>>
>>> Location:
>>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
>>>
>>>
>>> HTTP/1.1 302
>>>
>>> Server: nginx/1.4.6 (Ubuntu)
>>>
>>> Date: Sat, 21 Apr 2018 13:13:18 GMT
>>>
>>> Content-Length: 0
>>>
>>> Connection: keep-alive
>>>
>>> X-XSS-Protection: 1; mode=block
>>>
>>> X-Frame-Options: SAMEORIGIN
>>>
>>> X-Content-Type-Options: nosniff
>>>
>>> Location:
>>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
>>>
>>>
>>> HTTP/1.1 302
>>>
>>> Server: nginx/1.4.6 (Ubuntu)
>>>
>>> Date: Sat, 21 Apr 2018 13:13:18 GMT
>>>
>>> Content-Length: 0
>>>
>>> Connection: keep-alive
>>>
>>> X-XSS-Protection: 1; mode=block
>>>
>>> X-Frame-Options: SAMEORIGIN
>>>
>>> X-Content-Type-Options: nosniff
>>>
>>> Location:
>>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
>>>
>>>
>>> HTTP/1.1 302
>>>
>>> Server: nginx/1.4.6 (Ubuntu)
>>>
>>> Date: Sat, 21 Apr 2018 13:13:19 GMT
>>>
>>> Content-Length: 0
>>>
>>> Connection: keep-alive
>>>
>>> X-XSS-Protection: 1; mode=block
>>>
>>> X-Frame-Options: SAMEORIGIN
>>>
>>> X-Content-Type-Options: nosniff
>>>
>>> Location:
>>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
>>>
>>>
>>> HTTP/1.1 302
>>>
>>> Server: nginx/1.4.6 (Ubuntu)
>>>
>>> Date: Sat, 21 Apr 2018 13:13:19 GMT
>>>
>>> Content-Length: 0
>>>
>>> Connection: keep-alive
>>>
>>> X-XSS-Protection: 1; mode=block
>>>
>>> X-Frame-Options: SAMEORIGIN
>>>
>>> X-Content-Type-Options: nosniff
>>>
>>> Location:
>>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
>>>
>>>
>>> curl: (47) SSLRead() return error -9806
>>>
>>>
>>> This causes bug in applications that access the api for authentication
>>> and I can also see how this can be used to diminish system performance in
>>> general.
>>>
>>> Regards,
>>>
>>> Ranga
>>>
>>> On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering
>>> <jason.p.pickering@xxxxxxxxx> wrote:
>>>>
>>>> Just to try and make it a bit more clear Morten, I think this is the
>>>> issue Rangarai is asking about is  below:
>>>>
>>>> In 2.29 and 2.28, an unauthorized username/password returns a 302.
>>>>
>>>> curl -I -u admin:distric -H 'Accept: application/json'
>>>> https://play.dhis2.org/2.29/api/me
>>>> HTTP/1.1 302
>>>> Server: nginx/1.4.6 (Ubuntu)
>>>> Date: Sat, 21 Apr 2018 06:44:10 GMT
>>>> Content-Length: 0
>>>> Connection: keep-alive
>>>> X-XSS-Protection: 1; mode=block
>>>> X-Frame-Options: SAMEORIGIN
>>>> X-Content-Type-Options: nosniff
>>>> Location:
>>>> https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
>>>>
>>>>
>>>> In 2.27, this same request returns a 401.
>>>>
>>>> curl -I -u admin:distric -H 'Accept: application/json'
>>>> https://play.dhis2.org/2.27/api/me
>>>> HTTP/1.1 401
>>>> Server: nginx/1.4.6 (Ubuntu)
>>>> Date: Sat, 21 Apr 2018 06:44:27 GMT
>>>> Content-Type: text/html;charset=utf-8
>>>> Content-Length: 1071
>>>> Connection: keep-alive
>>>> X-XSS-Protection: 1; mode=block
>>>> X-Frame-Options: SAMEORIGIN
>>>> X-Content-Type-Options: nosniff
>>>> Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;
>>>> HttpOnly
>>>> WWW-Authenticate: Basic realm="DHIS2"
>>>> Content-Language: en
>>>>
>>>>
>>>> On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire
>>>> <matavirer@xxxxxxxxx> wrote:
>>>>>
>>>>> Hi Morten,
>>>>>
>>>>> The password is set wrong deliberately so as to get a 401 or other
>>>>> response. The problem is when you set the wrong password or username you get
>>>>> endless redirects from the API.
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <morten@xxxxxxxxx>
>>>>> wrote:
>>>>>>
>>>>>> It should be district, not distric... but also people keep changing
>>>>>> our internal passwords (our database resets every 24 hour)
>>>>>>
>>>>>> --
>>>>>> Morten Olav Hansen
>>>>>> Senior Engineer, DHIS 2
>>>>>> University of Oslo
>>>>>> http://www.dhis2.org
>>>>>>
>>>>>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire
>>>>>> <matavirer@xxxxxxxxx> wrote:
>>>>>>>
>>>>>>> By the way, its not just the error response code that is worrying,
>>>>>>> but also the loop of redirects that starts, this makes it difficult to
>>>>>>> handle the response for an http client. To see this loop of redirects, you
>>>>>>> can add -L to curl as below.
>>>>>>>
>>>>>>> curl -I -L -u admin:distric -H 'Accept: application/json'
>>>>>>> https://play.dhis2.org/2.28/api/me
>>>>>>>
>>>>>>>
>>>>>>> I think this behaviour should be corrected as it may lead to
>>>>>>> unexpected behaviour of apps.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire
>>>>>>> <matavirer@xxxxxxxxx> wrote:
>>>>>>>>
>>>>>>>> Hi Devs,
>>>>>>>>
>>>>>>>> I am wondering whether the behaviour I am seeing is a bug or
>>>>>>>> something to be expected due to some change.
>>>>>>>>
>>>>>>>> When I run the following curl command:
>>>>>>>>
>>>>>>>> curl -I -u admin:distric -H 'Accept: application/json'
>>>>>>>> https://play.dhis2.org/2.29/api/me
>>>>>>>>
>>>>>>>>
>>>>>>>> I get an HTTP 302 response. Note that I have deliberately set the
>>>>>>>> password wrong so I can mock a 401 unauthorized response. I get the same
>>>>>>>> response when I run the command on version 2.28. However, as expected, when
>>>>>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response.
>>>>>>>>
>>>>>>>> I hope someone can assist.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>>
>>>>>>>> Ranga
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>>>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>>> More help   : https://help.launchpad.net/ListHelp
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Jason P. Pickering
>>>> email: jason.p.pickering@xxxxxxxxx
>>>> tel:+46764147049
>>>
>>>
>>
>
>
>
> --
> Jason P. Pickering
> email: jason.p.pickering@xxxxxxxxx
> tel:+46764147049
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

Re: API not showing 401 Unauthorized error
From: Jason Pickering, 2018-04-23

References

API not showing 401 Unauthorized error
From: Rangarirai Matavire, 2018-04-18
Re: API not showing 401 Unauthorized error
From: Rangarirai Matavire, 2018-04-20
Re: API not showing 401 Unauthorized error
From: Morten Olav Hansen, 2018-04-20
Re: API not showing 401 Unauthorized error
From: Rangarirai Matavire, 2018-04-20
Re: API not showing 401 Unauthorized error
From: Jason Pickering, 2018-04-21
Re: API not showing 401 Unauthorized error
From: Rangarirai Matavire, 2018-04-21
Re: API not showing 401 Unauthorized error
From: Morten Olav Hansen, 2018-04-23
Re: API not showing 401 Unauthorized error
From: Jason Pickering, 2018-04-23