Why access to REST API "not-authorized" ?

Ron

Hi,

I would like to access to REST API on NodeBB 0.9.2 and when I make a call to for example NodebbURL/api/users when not authenticated I have in response "not-authorized" and I don't know why ?

Is there a configuration to allow access to REST API when not authenticated ?

Thanks in advance.

Kind regards.

anas ameziane

Hello,

I have the same issue. In the beginning the API calls works great. but after rebooting nodeBB API become inaccessible:
curl -i http://127.0.0.1:4567/api/groups
HTTP/1.1 401 Unauthorized
X-Powered-By: NodeBB
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Length: 16
ETag: W/"10-vtDQr4TNdqPmUlGMXxiHnw"
set-cookie: express.sid=s%3At24DNKdbFbQj-4EZ9sr7xaKObOuhgqP9.yb6jCZG%2BSYPIW7AOsEfSiu6rs4ZwES4k5cEG5tm6QIs; Path=/; Expires=Thu, 31 Mar 2016 18:45:00 GMT; HttpOnly
Vary: Accept-Encoding
Date: Thu, 17 Mar 2016 18:45:00 GMT
Connection: keep-alive

"not-authorized"

any idea

Thanks.

julian

401 Unauthorized is returned when the page you are requesting is private. In @Ron's case, he has enabled user privacy. Not quite sure why you can't query /api/groups, @anas-ameziane

Ron

Ok thanks a lot Julian. User privacy activation was the problem.

Kind regards.

alexschomb

So, how can we authorize/authenticate for the Read API? The Write API plugin allows us to generate bearer tokens or JWT, but these don't seem to work with the Read API. Can you give us a simple example?

julian

Hi @alexschomb -- if the write API is enabled and active, then master and user bearer tokens can be used against the Read API as well.

You'll authenticate them the same way, by passing a token query string.

alexschomb

Hi @julian
thanks for your quick answer as always!

I got it working using the Bearer token of the Write API, but experience some irreliable behavior using this method. I found that I need to create a topic first (POST /api/v1/topics) that results in a 400 Bad Request before I can access any private content or modify content according to my Authorization: Bearer TOKEN header. If I don't follow this step I always receive a not-authorized/logged_in: false. Shouldn't I be able to access private content directly when providing the correct Authorization header in my GET /api/users (example) request?

alexschomb

I did some more testing and found that the above solution does only work when sharing cookies. The Read API doesn't seem to authenticate itself against bearer tokens, but just uses the cookie.

Here is some non-sharing cookie example utilizing https://github.com/aacerox/node-rest-client:

var Client = require('node-rest-client').Client;
var client = new Client();

var args = {
  headers: { "Authorization": "Bearer faf63e0a-23a5-4c80-b281-412108cefd21" }
};

client.get("https://myforum.com/api/v1/users/1/tokens", args, function(data, response) {
  console.log(data);
  // { code: 'ok',  payload: { tokens: [ 'faf63e0a-23a5-4c80-b281-412108cefd21' ] } }
});

client.get("https://myforum.com/api/users", args, function(data, response) {
  console.log(data);
  // not-authorized
});

I don't understand your last sentence about the token query string. As far as I understood this is required for JWT, which is an alternative to bearer tokens, right?

julian

Mm, sorry, you're right, I mean you'll have to use the user or master token in the Authorization header... like a regular request to the write API

If it doesn't work, then that's possibly an issue with the write API...

alexschomb

@julian This does work with the Write API, see my previous code example. But it doesn't work with the Read API. Should I open a GitHub issue? Which is the best repository for reporting issues to the Read API?

julian

The write api actually provides the authentication mechanism, so you can file it against that repo.