It is in core will be available in next release.
Why access to REST API "not-authorized" ?
-
Hi,
I would like to access to REST API on NodeBB 0.9.2 and when I make a call to for example NodebbURL/api/users when not authenticated I have in response "not-authorized" and I don't know why ?
Is there a configuration to allow access to REST API when not authenticated ?
Thanks in advance.
Kind regards.
-
Hello,
I have the same issue. In the beginning the API calls works great. but after rebooting nodeBB API become inaccessible:
curl -i http://127.0.0.1:4567/api/groups
HTTP/1.1 401 Unauthorized
X-Powered-By: NodeBB
X-Frame-Options: SAMEORIGIN
Content-Type: application/json; charset=utf-8
Content-Length: 16
ETag: W/"10-vtDQr4TNdqPmUlGMXxiHnw"
set-cookie: express.sid=s%3At24DNKdbFbQj-4EZ9sr7xaKObOuhgqP9.yb6jCZG%2BSYPIW7AOsEfSiu6rs4ZwES4k5cEG5tm6QIs; Path=/; Expires=Thu, 31 Mar 2016 18:45:00 GMT; HttpOnly
Vary: Accept-Encoding
Date: Thu, 17 Mar 2016 18:45:00 GMT
Connection: keep-alive"not-authorized"
any idea
Thanks.
-
401 Unauthorized is returned when the page you are requesting is private. In @Ron's case, he has enabled user privacy. Not quite sure why you can't query
/api/groups, @anas-ameziane -
Ok thanks a lot Julian. User privacy activation was the problem.
Kind regards.
-
So, how can we authorize/authenticate for the Read API? The Write API plugin allows us to generate bearer tokens or JWT, but these don't seem to work with the Read API. Can you give us a simple example?
-
Hi @alexschomb -- if the write API is enabled and active, then master and user bearer tokens can be used against the Read API as well.
You'll authenticate them the same way, by passing a
tokenquery string. -
Hi @julian
thanks for your quick answer as always!
I got it working using the Bearer token of the Write API, but experience some irreliable behavior using this method. I found that I need to create a topic first (
POST /api/v1/topics) that results in a400 Bad Requestbefore I can access any private content or modify content according to myAuthorization: Bearer TOKENheader. If I don't follow this step I always receive anot-authorized/logged_in: false. Shouldn't I be able to access private content directly when providing the correct Authorization header in myGET /api/users(example) request? -
I did some more testing and found that the above solution does only work when sharing cookies. The Read API doesn't seem to authenticate itself against bearer tokens, but just uses the cookie.
Here is some non-sharing cookie example utilizing https://github.com/aacerox/node-rest-client:
var Client = require('node-rest-client').Client; var client = new Client(); var args = { headers: { "Authorization": "Bearer faf63e0a-23a5-4c80-b281-412108cefd21" } }; client.get("https://myforum.com/api/v1/users/1/tokens", args, function(data, response) { console.log(data); // { code: 'ok', payload: { tokens: [ 'faf63e0a-23a5-4c80-b281-412108cefd21' ] } } }); client.get("https://myforum.com/api/users", args, function(data, response) { console.log(data); // not-authorized });I don't understand your last sentence about the
tokenquery string. As far as I understood this is required for JWT, which is an alternative to bearer tokens, right? -
Mm, sorry, you're right, I mean you'll have to use the user or master token in the
Authorizationheader... like a regular request to the write APIIf it doesn't work, then that's possibly an issue with the write API...
-
@julian This does work with the Write API, see my previous code example. But it doesn't work with the Read API. Should I open a GitHub issue? Which is the best repository for reporting issues to the Read API?
-
The write api actually provides the authentication mechanism, so you can file it against that repo.
