Authentication issue while using search[API]

JULIUS NGIGI

Hi All, I am attempting to search API like:

curl -H "Authorization: Bearer ******-4766-4ece-bc9c-46b3d62860d3" 'https://community.nodebb.org/api/search?term=Topic&in=titles' -v

The bearer token is a master token hence I never passed in the _uid param.

I am getting Unauthorized response like so:

 TCP_NODELAY set
* Connected to community.nodebb.org (104.131.182.59) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=community.nodebb.org
*  start date: Mar 14 04:01:36 2021 GMT
*  expire date: Jun 12 04:01:36 2021 GMT
*  subjectAltName: host "community.nodebb.org" matched cert's "community.nodebb.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET /api/search?term=Topic&in=titles HTTP/1.1
> Host: community.nodebb.org
> User-Agent: curl/7.64.1
> Accept: */*
> Authorization: Bearer *******-4766-4ece-bc9c-46b3d62860d3
> 
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Fri, 19 Mar 2021 09:42:24 GMT
< Content-Type: application/json; charset=utf-8
< Content-Length: 128
< Connection: keep-alive
< X-DNS-Prefetch-Control: off
< Expect-CT: max-age=0
< X-Frame-Options: DENY
< X-Download-Options: noopen
< X-Content-Type-Options: nosniff
< X-Permitted-Cross-Domain-Policies: none
< X-XSS-Protection: 0
< Referrer-Policy: strict-origin-when-cross-origin
< X-Powered-By: NodeBB
< Access-Control-Allow-Headers: X-Requested-With
< Content-Security-Policy: frame-ancestors 'none'
< ETag: W/"80-eeQII23Bwfv7GbZojexUMPulPS8"
< Set-Cookie: express.sid=s%3AeTpR1hownlntn88TtLNEmRjc0tX_yN7p.oJg2abyC7tPhctIot9DA5GFk3PvmfAPVLF8LLWd8CD8; Path=/; Expires=Fri, 02 Apr 2021 09:42:24 GMT; HttpOnly; Secure; SameSite=Lax
< 
* Connection #0 to host community.nodebb.org left intact
{"status":{"code":"not-authorised","message":"A valid login session was not found. Please log in and try again."},"response":{}}* Closing connection 0
➜  ~ curl -H "Authorization: Bearer ***********-4ece-bc9c-46b3d62860d3" 'https://community.nodebb.org/api/search?term=Topic&in=titles' -v

I have installed the nodebb-plugin-dbsearch plugin, re-indexed and restarted the platform. I'm I missing something? @julian

julian

@julius-ngigi yes indeed!

You are using a master token, so you actually do explicitly have to pass in the _uid parameter.

However the error you're getting suggests it is not related to a missing _uid parameter... It sounds like the search route doesn't accept bearer tokens.

We likely fixed this in the upcoming version of NodeBB already. It should be available in at least the two most recent pre-releases.

JULIUS NGIGI

@julian Thank you for the quick response!