Api permission for search

BirdZhang

Hi, i use nodebb-plugin-write-api's token, try to access search via api like:

curl -H "Authorization: Bearer xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" 'https://example.com/api/search?term=test&in=titlesposts' -v

The token is right, and the user has permission to search
But, it return "not-authorized", seem not support access via api

Giggiux

@birdzhang use Bearer token for both "Authorization" and "Authentication", don't know why it is like that:

In your case:

curl -H "Authorization: Bearer xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" -H "Authentication xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" 'https://example.com/api/search?term=test&in=titlesposts' -v

BirdZhang

@giggiux Thank you for your replay

I tried but still have some issue

$ curl -H "Authorization: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e" -H "Authentication: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e" 'https://sailfishos.club/api/search?term=test&in=titlesposts' -v
* About to connect() to sailfishos.club port 443 (#0)
*   Trying 45.32.119.117...
* Connected to sailfishos.club (45.32.119.117) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=sailfishos.club
*       start date: Apr 17 02:23:21 2018 GMT
*       expire date: Jul 16 02:23:21 2018 GMT
*       common name: sailfishos.club
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET /api/search?term=test&in=titlesposts HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sailfishos.club
> Accept: */*
> Authorization: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e
> Authentication: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e
> 
< HTTP/1.1 400 Bad Request
< Server: nginx
< Date: Mon, 23 Apr 2018 01:40:19 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 143
< Connection: keep-alive
< X-DNS-Prefetch-Control: off
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Download-Options: noopen
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: strict-origin-when-cross-origin
< X-Powered-By: NodeBB
< ETag: W/"8f-PDJaS8zEUBQNBsr0ZxGk2abRkZA"
< set-cookie: express.sid=s%3ApUc-G1qQwpRXXbn09TLGk5_CeGmnyjKi.xxx8wkLUaqCxaWQjWfUomoeM4skR4I4fhXQI8RQP%2Bk; Path=/; Expires=Mon, 07 May 2018 01:40:19 GMT; HttpOnly; Secure
< Vary: Accept-Encoding
< 
* Connection #0 to host sailfishos.club left intact
{"code":"params-missing","message":"Required parameters were missing from this API call, please see the \"params\" property","params":["_uid"]}

Giggiux

@birdzhang You are using a Master Bearer token and not a user's one. So you have to pass also the uid parameter in the request. Or you create an User Bearer token and that solves the problem

BirdZhang

@giggiux I changed to user's token , the server return 401

I searched the source code, seem it not support api

Giggiux

Oh, i thought you were using write-api endpoints. What you can try do is to create your own plugin that extends the write-api (there is an hook that let you do that), from which you get the uid of the user, you modify the request setting req.user and then pass everything to the searchController.search function.

So (this is not valid, but it's just to somehow show you):

in plugin.json:

{"hooks": [{"hook": "filter:plugin.write-api.routes", "method": "api"}]}

in library.js:

var plugin = {},
       searchController = require.main.require('./src/search');
plugin.api = function (data, callback) {

	var app = data.router;
	var apiMiddleware = data.apiMiddleware;
	var middleware = data.middleware;
	var errorHandler = data.errorHandler;

        app.get('/search', apiMiddleware.requireUser, function(req,res) {
            req.user = req.uid; //req.uid is given from the middleware
            searchController(req, res)
        }

callback(null, {
		router: app
	});

}

Then of course do the request to /api/v1/search instead of /api/search

baris

Hi guys, thanks for having this discussion it helped me find the issue it will be fixed in the next version of write-api plugin. https://github.com/NodeBB/nodebb-plugin-write-api/commit/4c98fbe3440d462d995a43ba4819f6d40f00646c @BirdZhang make sure you use latest version of NodeBB as well since that check changed to req.loggedIn

Giggiux

@baris This means now calls with the Bearer token can also be done to normal api?

baris

@giggiux Yes they should work.

BirdZhang

@baris Thank you very much, works very well