https://www.redmine.org/https://www.redmine.org/favicon.ico?16793021292019-10-21T20:12:50ZRedmineRedmine - Defect #32315: Impossible to validate API key without modifying anythinghttps://www.redmine.org/issues/32315?journal_id=944572019-10-21T20:12:50ZNathan Cutler
<ul></ul><p>Try, for example:</p>
<pre>
$ curl --silent https://www.redmine.org/issues/32315.json&key=invalid
</pre> Redmine - Defect #32315: Impossible to validate API key without modifying anythinghttps://www.redmine.org/issues/32315?journal_id=944612019-10-21T23:06:38ZGo MAEDA
<ul><li><strong>Category</strong> set to <i>REST API</i></li></ul> Redmine - Defect #32315: Impossible to validate API key without modifying anythinghttps://www.redmine.org/issues/32315?journal_id=947452019-11-04T00:19:00ZGo MAEDA
<ul></ul><p>In the upcoming Redmine 4.1.0, you can determine if an API key is valid by checking the HTTP status code of a GET request.</p>
<p>Redmine 4.1.0 returns "401 Unauthorized" only when the given credential is incorrect. However, in prior versions, 401 is returned even when REST API is disabled. The behavior change was made by <a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Use HTTP status code 403 instead of 401 when REST API is disabled (Closed)" href="https://www.redmine.org/issues/30086">#30086</a>.</p>
<pre>
$ curl --dump-header /dev/stdout 'http://redmine-trunk.test/issues.xml?key=randompassword'
HTTP/1.1 401 Unauthorized
.
.
.
</pre> Redmine - Defect #32315: Impossible to validate API key without modifying anythinghttps://www.redmine.org/issues/32315?journal_id=995432020-10-25T07:02:00ZGo MAEDA
<ul><li><strong>Related to</strong> <i><a class="issue tracker-2 status-5 priority-4 priority-default closed" href="/issues/30086">Feature #30086</a>: Use HTTP status code 403 instead of 401 when REST API is disabled</i> added</li></ul> Redmine - Defect #32315: Impossible to validate API key without modifying anythinghttps://www.redmine.org/issues/32315?journal_id=995452020-10-25T07:04:44ZGo MAEDA
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Closed</i></li><li><strong>Resolution</strong> set to <i>Fixed</i></li></ul><p>Fixed in Redmine 4.1.0 (<a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: Use HTTP status code 403 instead of 401 when REST API is disabled (Closed)" href="https://www.redmine.org/issues/30086">#30086</a>).</p>
<p>You can check if an API is correct or incorrect by sending GET request. The API key is incorrect if HTTP status code is 401.</p>