Defect #18113

REST API KEY doesn't work with basic authentication

Added by Renzo Dani over 7 years ago. Updated about 5 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution:Cant reproduce Affected version:2.5.2

Description

If I try to access the api using my key and basic authentication it doesn't work. It does if I use the key as a parameter.

$ curl -v -u MyAPIKey:randompassword https://IP/users/current.xml

* STATE: INIT => CONNECT handle 0x800477e8; line 1028 (connection #-5000)
* Hostname was NOT found in DNS cache
*   Trying IP...
* STATE: CONNECT => WAITCONNECT handle 0x800477e8; line 1076 (connection #0)
* Connected to (IP) port 443 (#0)
* STATE: PROTOCONNECT => DO handle 0x800477e8; line 1208 (connection #0)
* Server auth using Basic with user 'MyAPIKey'
> GET /users/current.xml HTTP/1.1
> Authorization: Basic base64_of_MyAPIKey:randompassword
> User-Agent: curl/7.37.1
> Host: IP
> Accept: */*
>
* STATE: DO => DO_DONE handle 0x800477e8; line 1281 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x800477e8; line 1407 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x800477e8; line 1420 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 401 Authorization Required
< Date: Thu, 16 Oct 2014 07:21:17 GMT
* Server Apache is not blacklisted
< Server: Apache
< Strict-Transport-Security: max-age=31536000; includeSubDomains
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Redmine API" 
< X-UA-Compatible: IE=Edge,chrome=1
< Cache-Control: no-cache
< X-Request-Id: 2ea6385fbc1564b902112fd5397a88ac
< X-Runtime: 0.006031
< X-Rack-Cache: miss
< Content-Type: application/xml; charset=utf-8
< Transfer-Encoding: chunked
<
* STATE: PERFORM => DONE handle 0x800477e8; line 1590 (connection #0)
* Connection #0 to host IP left intact
* Expire cleared

Redmine log:
Started GET "/users/current.xml" for XXX at 2014-10-16 09:21:32 +0200
Processing by UsersController#show as XML
  Parameters: {"id"=>"current"}
  Current user: anonymous
Filter chain halted as :check_if_login_required rendered or redirected
Completed 401 Unauthorized in 3.3ms (ActiveRecord: 0.7ms)

$ curl -v  https://IP/users/current.xml?key=MyAPIKey

* STATE: INIT => CONNECT handle 0x800477e8; line 1028 (connection #-5000)
* Hostname was NOT found in DNS cache
*   Trying IP...
* STATE: CONNECT => WAITCONNECT handle 0x800477e8; line 1076 (connection #0)
* Connected to (IP) port 443 (#0)
* STATE: PROTOCONNECT => DO handle 0x800477e8; line 1208 (connection #0)
> GET /users/current.xml?key=MyAPIKey HTTP/1.1
> User-Agent: curl/7.37.1
> Host: IP
> Accept: */*
>
* STATE: DO => DO_DONE handle 0x800477e8; line 1281 (connection #0)
* STATE: DO_DONE => WAITPERFORM handle 0x800477e8; line 1407 (connection #0)
* STATE: WAITPERFORM => PERFORM handle 0x800477e8; line 1420 (connection #0)
* HTTP 1.1 or later with persistent connection, pipelining supported
< HTTP/1.1 200 OK
< Date: Thu, 16 Oct 2014 07:24:31 GMT
* Server Apache is not blacklisted
< Server: Apache
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-UA-Compatible: IE=Edge,chrome=1
< ETag: "3299271e718c967be9ce47132e0f3033" 
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: 915ced07c7be89d4423c0dda47cfddc6
< X-Runtime: 0.072114
< X-Rack-Cache: miss
< Content-Type: application/xml; charset=utf-8
< Transfer-Encoding: chunked
<
* STATE: PERFORM => DONE handle 0x800477e8; line 1590 (connection #0)
* Connection #0 to host IP left intact
* Expire cleared
<?xml version="1.0" encoding="UTF-8"?><user><id>3</id><login>xxx</login><firstname>xxx</firstname><lastname>xxx</lastname><mail>.....

Redmine log:
Started GET "/users/current.xml?key=MyAPIKey" for 10.11.1.164 at 2014-10-16 09:24:31 +0200
Processing by UsersController#show as XML
  Parameters: {"key"=>"MyAPIKey", "id"=>"current"}
  Current user: xxx (id=3)
  Rendered users/show.api.rsb (3.6ms)
Completed 200 OK in 70.1ms (Views: 3.8ms | ActiveRecord: 21.5ms)

History

#1 Updated by Jean-Philippe Lang over 7 years ago

  • Resolution set to Cant reproduce

Works for me, here is the log:

curl -v -u APIKEY:x http://localhost:3000/users/current.xml
* About to connect() to localhost port 3000 (#0)
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 3000 (#0)
* Server auth using Basic with user 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
> GET /users/current.xml HTTP/1.1
> Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> User-Agent: curl/7.21.7 (i386-pc-win32) libcurl/7.21.7 OpenSSL/0.9.8r zlib/1.2
.5
> Host: localhost:3000
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/xml; charset=utf-8
< X-Ua-Compatible: IE=Edge,chrome=1
< Etag: "f860172708eab3bd9cc77ab5d06dd92e" 
< Cache-Control: max-age=0, private, must-revalidate
< X-Request-Id: 3b5e68817197f861fdf5f5d83e34b376
< X-Runtime: 0.546001
< Server: WEBrick/1.3.1 (Ruby/2.0.0/2014-05-08)
< Date: Thu, 16 Oct 2014 19:27:03 GMT
< Content-Length: 456
< Connection: Keep-Alive
<
<?xml version="1.0" encoding="UTF-8"?><user><id>1</id><login>jplang</login><firs
tname>Jean-Philippe</firstname><lastname>Lang</lastname><mail>jp_lang@xxxxx.xx</
mail><created_on>2007-09-27T22:16:04Z</created_on><last_login_on>2014-10-16T19:2
4:08Z</last_login_on><api_key>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</api_key>
<status>1</status><custom_fields type="array"><custom_field id="3" name="IRC nic
k"><value></value></custom_field></custom_fields></user>* Connection #0 to host
localhost left intact
* Closing connection #0

#2 Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from New to Closed

Make sure that your web server forwards the authorization header.

#3 Updated by Renzo Dani over 7 years ago

I search a lot till I found the solution.
I'm using apache and fastcgi.
In order to properly forward basic authentication the following rewrite rule is necessary in .htaccess:

RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]

I'll create a pull request for that cause the config is not present in the htaccess.fcgi.example

#4 Updated by Alexander Kirillov about 5 years ago

Thanks for sharing this. The rewrite rule in public/htaccess.fcgi.example should probably be changed to this one.

Also available in: Atom PDF