Api permission for search
-
Hi, i use nodebb-plugin-write-api's token, try to access search via api like:
curl -H "Authorization: Bearer xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" 'https://example.com/api/search?term=test&in=titlesposts' -vThe token is right, and the user has permission to search
But, it return "not-authorized", seem not support access via api -
@birdzhang use Bearer token for both "Authorization" and "Authentication", don't know why it is like that:
In your case:
curl -H "Authorization: Bearer xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" -H "Authentication xxxxxx-cb5c-4ddf-866d-5fcbfd2986e8" 'https://example.com/api/search?term=test&in=titlesposts' -v -
@giggiux Thank you for your replay
I tried but still have some issue
$ curl -H "Authorization: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e" -H "Authentication: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e" 'https://sailfishos.club/api/search?term=test&in=titlesposts' -v * About to connect() to sailfishos.club port 443 (#0) * Trying 45.32.119.117... * Connected to sailfishos.club (45.32.119.117) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 * Server certificate: * subject: CN=sailfishos.club * start date: Apr 17 02:23:21 2018 GMT * expire date: Jul 16 02:23:21 2018 GMT * common name: sailfishos.club * issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US > GET /api/search?term=test&in=titlesposts HTTP/1.1 > User-Agent: curl/7.29.0 > Host: sailfishos.club > Accept: */* > Authorization: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e > Authentication: Bearer xxxx-62bc-4e9b-a2be-7978db5eda5e > < HTTP/1.1 400 Bad Request < Server: nginx < Date: Mon, 23 Apr 2018 01:40:19 GMT < Content-Type: application/json; charset=utf-8 < Content-Length: 143 < Connection: keep-alive < X-DNS-Prefetch-Control: off < X-Frame-Options: SAMEORIGIN < Strict-Transport-Security: max-age=15552000; includeSubDomains < X-Download-Options: noopen < X-Content-Type-Options: nosniff < X-XSS-Protection: 1; mode=block < Referrer-Policy: strict-origin-when-cross-origin < X-Powered-By: NodeBB < ETag: W/"8f-PDJaS8zEUBQNBsr0ZxGk2abRkZA" < set-cookie: express.sid=s%3ApUc-G1qQwpRXXbn09TLGk5_CeGmnyjKi.xxx8wkLUaqCxaWQjWfUomoeM4skR4I4fhXQI8RQP%2Bk; Path=/; Expires=Mon, 07 May 2018 01:40:19 GMT; HttpOnly; Secure < Vary: Accept-Encoding < * Connection #0 to host sailfishos.club left intact {"code":"params-missing","message":"Required parameters were missing from this API call, please see the \"params\" property","params":["_uid"]} -
Oh, i thought you were using
write-apiendpoints. What you can try do is to create your own plugin that extends thewrite-api(there is an hook that let you do that), from which you get theuidof the user, you modify the request settingreq.userand then pass everything to thesearchController.searchfunction.So (this is not valid, but it's just to somehow show you):
in
plugin.json:{"hooks": [{"hook": "filter:plugin.write-api.routes", "method": "api"}]}in
library.js:var plugin = {}, searchController = require.main.require('./src/search'); plugin.api = function (data, callback) { var app = data.router; var apiMiddleware = data.apiMiddleware; var middleware = data.middleware; var errorHandler = data.errorHandler; app.get('/search', apiMiddleware.requireUser, function(req,res) { req.user = req.uid; //req.uid is given from the middleware searchController(req, res) } callback(null, { router: app }); }Then of course do the request to
/api/v1/searchinstead of/api/search -
Hi guys, thanks for having this discussion it helped me find the issue it will be fixed in the next version of write-api plugin. https://github.com/NodeBB/nodebb-plugin-write-api/commit/4c98fbe3440d462d995a43ba4819f6d40f00646c @BirdZhang make sure you use latest version of NodeBB as well since that check changed to
req.loggedIn
