Why access to REST API "not-authorized" ?
-
Hello,
I have the same issue. In the beginning the API calls works great. but after rebooting nodeBB API become inaccessible:
curl -i http://127.0.0.1:4567/api/groups
HTTP/1.1 401 Unauthorized
X-Powered-By: NodeBB
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Length: 16
ETag: W/"10-vtDQr4TNdqPmUlGMXxiHnw"
set-cookie: express.sid=s%3At24DNKdbFbQj-4EZ9sr7xaKObOuhgqP9.yb6jCZG%2BSYPIW7AOsEfSiu6rs4ZwES4k5cEG5tm6QIs; Path=/; Expires=Thu, 31 Mar 2016 18:45:00 GMT; HttpOnly
Vary: Accept-Encoding
Date: Thu, 17 Mar 2016 18:45:00 GMT
Connection: keep-alive"not-authorized"
any idea
Thanks.
-
So, how can we authorize/authenticate for the Read API? The Write API plugin allows us to generate bearer tokens or JWT, but these don't seem to work with the Read API. Can you give us a simple example?
-
Hi @julian
thanks for your quick answer as always!I got it working using the Bearer token of the Write API, but experience some irreliable behavior using this method. I found that I need to create a topic first (
POST /api/v1/topics
) that results in a400 Bad Request
before I can access any private content or modify content according to myAuthorization: Bearer TOKEN
header. If I don't follow this step I always receive anot-authorized
/logged_in: false
. Shouldn't I be able to access private content directly when providing the correct Authorization header in myGET /api/users
(example) request? -
I did some more testing and found that the above solution does only work when sharing cookies. The Read API doesn't seem to authenticate itself against bearer tokens, but just uses the cookie.
Here is some non-sharing cookie example utilizing https://github.com/aacerox/node-rest-client:
var Client = require('node-rest-client').Client; var client = new Client(); var args = { headers: { "Authorization": "Bearer faf63e0a-23a5-4c80-b281-412108cefd21" } }; client.get("https://myforum.com/api/v1/users/1/tokens", args, function(data, response) { console.log(data); // { code: 'ok', payload: { tokens: [ 'faf63e0a-23a5-4c80-b281-412108cefd21' ] } } }); client.get("https://myforum.com/api/users", args, function(data, response) { console.log(data); // not-authorized });
I don't understand your last sentence about the
token
query string. As far as I understood this is required for JWT, which is an alternative to bearer tokens, right?