Defect #32315
closed
Impossible to validate API key without modifying anything
0%
Description
AFAICT the Redmine API has no way of validating whether a given API key is valid, short of actually attempting a write operation (POST, PUT, DELETE).
With the GitHub API, you can do:
curl --silent https://api.github.com/repos/myuser/myrepo/pulls/19999?access_token=invalid
{
"message": "Bad credentials",
"documentation_url": "https://developer.github.com/v3"
}
Would be great to have something like this in the Redmine API as well! Thanks for the cool software.
Related issues
Updated by Nathan Cutler over 4 years ago
Try, for example:
$ curl --silent https://www.redmine.org/issues/32315.json&key=invalid
Updated by Go MAEDA over 4 years ago
In the upcoming Redmine 4.1.0, you can determine if an API key is valid by checking the HTTP status code of a GET request.
Redmine 4.1.0 returns "401 Unauthorized" only when the given credential is incorrect. However, in prior versions, 401 is returned even when REST API is disabled. The behavior change was made by #30086.
$ curl --dump-header /dev/stdout 'http://redmine-trunk.test/issues.xml?key=randompassword' HTTP/1.1 401 Unauthorized . . .
Updated by Go MAEDA over 3 years ago
- Related to Feature #30086: Use HTTP status code 403 instead of 401 when REST API is disabled added
Updated by Go MAEDA over 3 years ago
- Status changed from New to Closed
- Resolution set to Fixed
Fixed in Redmine 4.1.0 (#30086).
You can check if an API is correct or incorrect by sending GET request. The API key is incorrect if HTTP status code is 401.