Skip to content

API Authorization: header not working  #4243

Closed
@stevegt

Description

@stevegt
Contributor

The Authorization: header doesn't seem to be working as of 2e05ffd. I haven't yet figured out what's causing this behavior, or if it's something I'm doing wrong. Seeing some possible similarities with some of the symptoms of #3842, particularly the 401 response described there when using Authorization:.

How to duplicate:

  • Using the /api/swagger web UI, hit the 'Authorize' button and put your token into the AuthorizationHeaderToken value field. Ensure you are logged out of all other authorization methods. Ensure you are logged out of the gitea web UI (no cookies stored in your browser).
  • Create a new issue using the swagger web UI; this will fail with a 401 Unauthorized error.
  • Now copy and execute the curl command given by the swagger web UI. It also fails. Adding a -i flag to curl shows that it is returning a 401 Unauthorized:
curl -X POST "http://localhost:4000/api/v1/repos/test1/test1/issues" -H "accept: application/json" -H "Authorization: 65eaa9c8ef52460d22a93307fe0aee76289dc675" -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 17\"}" -i
HTTP/1.1 401 Unauthorized
Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
Set-Cookie: i_like_gitea=7e17b9f254cd0cc4; Path=/; HttpOnly
Set-Cookie: _csrf=vW3ET5wQ62_IHnj5j08A9KUfXQM6MTUyODkwODc5OTkyOTI5OTUxNw%3D%3D; Path=/; Expires=Thu, 14 Jun 2018 16:53:19 GMT
X-Frame-Options: SAMEORIGIN
Date: Wed, 13 Jun 2018 16:53:19 GMT
Content-Length: 0
  • Go back and hit the Authorize button again, log out of AuthorizationHeaderToken, and instead paste your token in the Token value field.
  • Try creating a new issue using the swagger web UI again; this will succeed.

Activity

changed the title [-]Authorization: header not working consistently[/-] [+]API Authorization: header not working consistently[/+] on Jun 14, 2018
changed the title [-]API Authorization: header not working consistently[/-] [+]API Authorization: header not working [/+] on Jun 14, 2018
stevegt

stevegt commented on Jun 14, 2018

@stevegt
ContributorAuthor

Closing for now because I'm probably an idiot -- the Authorization: header probably isn't supposed to work with the same token type that works in the query string, and I should probably know better.

stevegt

stevegt commented on Jun 14, 2018

@stevegt
ContributorAuthor

Okay, for anyone landing here from google -- the way to get the Authorization: header to work from gitea API clients is to use your normal API key token, the same one you would use in the token= string in a GET request, but with the word token prepended. Like this:

Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675

In a curl command, for instance, this would look like:

curl -X POST "http://localhost:4000/api/v1/repos/test1/test1/issues" -H "accept: application/json" -H "Authorization: token 65eaa9c8ef52460d22a93307fe0aee76289dc675" -H "Content-Type: application/json" -d "{ \"body\": \"testing\", \"title\": \"test 20\"}" -i

The code that parses this is at

if len(auths) == 2 && auths[0] == "token" {

Some related points:

added a commit that references this issue on Jun 24, 2018
added a commit that references this issue on Jun 25, 2018
locked and limited conversation to collaborators on Nov 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @stevegt

        Issue actions

          API Authorization: header not working · Issue #4243 · go-gitea/gitea