Why access to REST API "not-authorized" ?

Technical Support
  • Hi,

    I would like to access to REST API on NodeBB 0.9.2 and when I make a call to for example NodebbURL/api/users when not authenticated I have in response "not-authorized" and I don't know why ?

    Is there a configuration to allow access to REST API when not authenticated ?

    Thanks in advance.

    Kind regards.

  • Hello,

    I have the same issue. In the beginning the API calls works great. but after rebooting nodeBB API become inaccessible:
    curl -i
    HTTP/1.1 401 Unauthorized
    X-Powered-By: NodeBB
    X-Frame-Options: SAMEORIGIN
    Content-Type: application/json; charset=utf-8
    Content-Length: 16
    ETag: W/"10-vtDQr4TNdqPmUlGMXxiHnw"
    set-cookie: express.sid=s%3At24DNKdbFbQj-4EZ9sr7xaKObOuhgqP9.yb6jCZG%2BSYPIW7AOsEfSiu6rs4ZwES4k5cEG5tm6QIs; Path=/; Expires=Thu, 31 Mar 2016 18:45:00 GMT; HttpOnly
    Vary: Accept-Encoding
    Date: Thu, 17 Mar 2016 18:45:00 GMT
    Connection: keep-alive


    any idea


  • 401 Unauthorized is returned when the page you are requesting is private. In @Ron's case, he has enabled user privacy. Not quite sure why you can't query /api/groups, @anas-ameziane

  • Ok thanks a lot Julian. User privacy activation was the problem.

    Kind regards.

  • So, how can we authorize/authenticate for the Read API? The Write API plugin allows us to generate bearer tokens or JWT, but these don't seem to work with the Read API. Can you give us a simple example?

  • Hi @alexschomb -- if the write API is enabled and active, then master and user bearer tokens can be used against the Read API as well.

    You'll authenticate them the same way, by passing a token query string.

  • Hi @julian
    thanks for your quick answer as always! 🙂

    I got it working using the Bearer token of the Write API, but experience some irreliable behavior using this method. I found that I need to create a topic first (POST /api/v1/topics) that results in a 400 Bad Request before I can access any private content or modify content according to my Authorization: Bearer TOKEN header. If I don't follow this step I always receive a not-authorized/logged_in: false. Shouldn't I be able to access private content directly when providing the correct Authorization header in my GET /api/users (example) request?

  • I did some more testing and found that the above solution does only work when sharing cookies. The Read API doesn't seem to authenticate itself against bearer tokens, but just uses the cookie.

    Here is some non-sharing cookie example utilizing https://github.com/aacerox/node-rest-client:

    var Client = require('node-rest-client').Client;
    var client = new Client();
    var args = {
      headers: { "Authorization": "Bearer faf63e0a-23a5-4c80-b281-412108cefd21" }
    client.get("https://myforum.com/api/v1/users/1/tokens", args, function(data, response) {
      // { code: 'ok',  payload: { tokens: [ 'faf63e0a-23a5-4c80-b281-412108cefd21' ] } }
    client.get("https://myforum.com/api/users", args, function(data, response) {
      // not-authorized

    I don't understand your last sentence about the token query string. As far as I understood this is required for JWT, which is an alternative to bearer tokens, right?

  • Mm, sorry, you're right, I mean you'll have to use the user or master token in the Authorization header... like a regular request to the write API

    If it doesn't work, then that's possibly an issue with the write API...

  • @julian This does work with the Write API, see my previous code example. But it doesn't work with the Read API. Should I open a GitHub issue? Which is the best repository for reporting issues to the Read API?

  • The write api actually provides the authentication mechanism, so you can file it against that repo.

Suggested Topics