Api permission for search

Bug Reports
Log in to reply
  • BirdZhang

    Hi, i use nodebb-plugin-write-api's token, try to access search via api like:

    curl -H "Authorization: Bearer xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" 'https://example.com/api/search?term=test&in=titlesposts' -v

    The token is right, and the user has permission to search
    But, it return "not-authorized", seem not support access via api

    Giggiux 1 Reply 0
  • Giggiux

    @birdzhang use Bearer token for both "Authorization" and "Authentication", don't know why it is like that:

    In your case:

    curl -H "Authorization: Bearer xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" -H "Authentication xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" 'https://example.com/api/search?term=test&in=titlesposts' -v

    BirdZhang 1 Reply 0
  • BirdZhang

    @giggiux Thank you for your replay

    I tried but still have some issue

    $ curl -H "Authorization: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e" -H "Authentication: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e" 'https://sailfishos.club/api/search?term=test&in=titlesposts' -v
* About to connect() to sailfishos.club port 443 (#0)
*   Trying 45.32.119.117...
* Connected to sailfishos.club (45.32.119.117) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=sailfishos.club
*       start date: Apr 17 02:23:21 2018 GMT
*       expire date: Jul 16 02:23:21 2018 GMT
*       common name: sailfishos.club
*       issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> GET /api/search?term=test&in=titlesposts HTTP/1.1
> User-Agent: curl/7.29.0
> Host: sailfishos.club
> Accept: */*
> Authorization: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e
> Authentication: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e
> 
< HTTP/1.1 400 Bad Request
< Server: nginx
< Date: Mon, 23 Apr 2018 01:40:19 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 143
< Connection: keep-alive
< X-DNS-Prefetch-Control: off
< X-Frame-Options: SAMEORIGIN
< Strict-Transport-Security: max-age=15552000; includeSubDomains
< X-Download-Options: noopen
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: strict-origin-when-cross-origin
< X-Powered-By: NodeBB
< ETag: W/"8f-PDJaS8zEUBQNBsr0ZxGk2abRkZA"
< set-cookie: express.sid=s%3ApUc-G1qQwpRXXbn09TLGk5_CeGmnyjKi.xxx8wkLUaqCxaWQjWfUomoeM4skR4I4fhXQI8RQP%2Bk; Path=/; Expires=Mon, 07 May 2018 01:40:19 GMT; HttpOnly; Secure
< Vary: Accept-Encoding
< 
* Connection #0 to host sailfishos.club left intact
{"code":"params-missing","message":"Required parameters were missing from this API call, please see the \"params\" property","params":["_uid"]}
    Giggiux 1 Reply 0
  • Giggiux

    @birdzhang You are using a Master Bearer token and not a user's one. So you have to pass also the uid parameter in the request. Or you create an User Bearer token and that solves the problem 🙂

    BirdZhang 1 Reply 0
  • BirdZhang

    @giggiux I changed to user's token , the server return 401 😢

    I searched the source code, seem it not support api

    0_1524623899074_ab467c2d-3f00-49c9-a0bc-f8f8e9a52c8b-image.png

    Giggiux 1 Reply 0
  • Giggiux

    Oh, i thought you were using write-api endpoints. What you can try do is to create your own plugin that extends the write-api (there is an hook that let you do that), from which you get the uid of the user, you modify the request setting req.user and then pass everything to the searchController.search function.

    So (this is not valid, but it's just to somehow show you):

    in plugin.json:

    {"hooks": [{"hook": "filter:plugin.write-api.routes", "method": "api"}]}

    in library.js:

    var plugin = {},
       searchController = require.main.require('./src/search');
plugin.api = function (data, callback) {

	var app = data.router;
	var apiMiddleware = data.apiMiddleware;
	var middleware = data.middleware;
	var errorHandler = data.errorHandler;

        app.get('/search', apiMiddleware.requireUser, function(req,res) {
            req.user = req.uid; //req.uid is given from the middleware
            searchController(req, res)
        }

callback(null, {
		router: app
	});

}

    Then of course do the request to /api/v1/search instead of /api/search

    0
  • baris
    NodeBB

    Hi guys, thanks for having this discussion it helped me find the issue it will be fixed in the next version of write-api plugin. https://github.com/NodeBB/nodebb-plugin-write-api/commit/4c98fbe3440d462d995a43ba4819f6d40f00646c @BirdZhang make sure you use latest version of NodeBB as well since that check changed to req.loggedIn

    0 barisusakli committed to NodeBB/nodebb-plugin-write-api 
    set loggedIn after login
    Giggiux BirdZhang 2 Replies 1
  • Giggiux

    @baris This means now calls with the Bearer token can also be done to normal api?

    baris 1 Reply 0
  • baris
    NodeBB

    @giggiux Yes they should work.

    0
  • BirdZhang

    @baris Thank you very much, works very well

    1

Suggested Topics

| |
Copyright © 2022 NodeBB | Contributors

Get Started

Resources

Company

Start Free Trial
Github Facebook Instagram Twitter
© 2014 – 2022 NodeBB, Inc. — Made in Canada.