Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

API "/api/v1/me/" with JWT token but always reponse "message": "Not authorized" #25876

Open
xavier-GitHub76 opened this issue Nov 6, 2023 · 18 comments

Comments

@xavier-GitHub76
Copy link
Contributor

Hello,
I try to use api endpoints but I have problem.
I succed to get JWT token with /api/v1/security/login

image

and I use it with another api endpoint like :

  • /api/v1/me/
  • /api/v1/me/roles/

image

These endpoints seem very simple to use (no parameters to define) but I have always the response :
{
"message": "Not authorized"
}

image

I don't see why it fails
Thanks for your help

@sebastianliebscher
Copy link
Contributor

sebastianliebscher commented Nov 9, 2023

Hi @xavier-GitHub76, what version are you running? I can replicate this issue on latest master branch.

Steps to reproduce:

  • checkout master
  • hit the endpoint
curl --request GET \
  --url http://localhost:8088/api/v1/me/roles \
  --header 'Authorization: Bearer token' \
  --header 'X-CSRFToken: token'
  • get 401 Unauthorized

@xavier-GitHub76
Copy link
Contributor Author

Thanks for your test.
I use 3.0 version.

@siddhartha8916
Copy link

siddhartha8916 commented Nov 16, 2023

Make a request to http://localhost:8000/login with formdata as csrfToken and username and password. This will set a session in the browser which will then be used to call the /me api
The csrf token can be obtained from the login form

Screenshot 2023-11-16 221432

Screenshot 2023-11-16 221559

@xavier-GitHub76
Copy link
Contributor Author

Hi, thanks a lot for your reply.
I don't understand why we must use http://localhost:8000/login whereas the endpoint api 'login' exists. I don't find documentation about using api superset (just the swagger which does not specify the logical order of the endpoints)

I try your example with postman but I have not the same result.

  1. {{url}}/api/v1/security/login --> OK, I have an access_token (that I store in a variable)
  2. {{url}}/api/v1/security/csrf_token/ --> OK, I have an csrf (that I store in a variable)
  3. {{url}}/login

image

but I have the result :
image

On your screenshot, you have 10 parameters for the header, I have just 9.
Could you show me the detail of your header and the result of your execution ?

  1. {{url}}/api/v1/me/ with access_token and csrf token
    image

image

The result is always "Not authorized" 😞
image

@siddhartha8916
Copy link

siddhartha8916 commented Nov 18, 2023

Hit a GET request to /login endpoint. There you'll get the html document containing csrf_token as a hidden input field.
extract the csrf_token and save it in a variable.

Then make a POST request to /login endpoint with body as FormData containing the csrf_token, username, and password.
Then make a third request to /me route. (You need not to pass any extra Bearer Token or Header)

Hope this works...

@xavier-GitHub76
Copy link
Contributor Author

hello,
first of all, thank you very much for your help. It is very pleasant. 👍
Unfortunately I fail. I don't understand the systematic use of the {{url}}/'login' web page although API endpoints exist:
{{url}}/api/v1/security/login
{{url}}/api/v1/security/csrf_token/

I nevertheless tried your scenario.

I made the GET request on {{url}}/'login' and I successfully retrieved the value of the hidden variable crsf_token.

image
image

I made the POST request on {{url}}/'login' with body as FormData containing the csrf_token, username, and password :
image

I make the request on {{url}}/api/v1/me/ (with no Auth) but I had "message": "Not authorized"
image

Best regards

@xavier-GitHub76
Copy link
Contributor Author

xavier-GitHub76 commented Nov 21, 2023

ideally I was thinking of using 100% api endpoint

  • {{url}}/api/v1/security/login
  • {{url}}/api/v1/security/csrf_token/
  • {{url}}/api/v1/me/

which would allow me to rely solely on APIs (/api/v1) and manipulate JSON results
Thanks for your help.

@peanut00
Copy link

Hello xavier-GitHub76,

Could you please advise on the interface you are using for API tests?

Thanks,

@xavier-GitHub76
Copy link
Contributor Author

Hello @peanut00
I use Postman.

@peanut00
Copy link

Hello @peanut00 I use Postman.

Many Thanks for your help

@bryanjknight
Copy link

Adding some logging within superset/views/users/api.py seems to show that the global user is not getting set when the request comes in to CurrentUserRestApi. Interestingly, it seems the current user API is the only one that uses g.user based on a quick search

@rusackas
Copy link
Member

@dosu-bot

@rusackas
Copy link
Member

Are people still having issues here? It's not clear to me if this is still a bug, or if there's just general confusion about API use.

@xavier-GitHub76
Copy link
Contributor Author

Hello @rusackas,
I can't find precise documentation on the API.

I have done a lot of research (Google, Github, Slack) on the subject but cannot easily use the API.
In particular, I read the following page:
https://superset.apache.org/docs/api/
The available functions are well listed but the use of the JWT is not detailed.
We know how to retrieve the value of the JWT token but for example it is not indicated that it must be passed in addition to the parameters specific to a function.
This explanation can be found on sites such as stackoverflow.

Unfortunately, sometimes providing a JWT token and a CSRF token is sufficient but this is not always the case (like this issue).

Providing a session cookie helps get around the problem but I don't understand why it is necessary when the technical identification elements are already provided.

By searching in /api/v1/_openapi
we can see the functions requiring the JWT token:
"security": [
{
"jwt":[]
}
],

Thanks for your help

@Vinayselukar21
Copy link

@xavier-GitHub76

Were you able to fetch current user info from "/api/v1/me" ??

@xavier-GitHub76
Copy link
Contributor Author

@Vinayselukar21

I succed to see a result but by a means that does not seem correct to me.

The use of API functions should be based on the provision of a JWT token and a CSRF token, however if I execute /api/v1/me/ with these tokens, I systematically get the return:
{
"message": "Not authorized"
}

I manage to identify the user only by providing a cookie (retrieved after using the login page). This is not normal for me because the function returns a result without a JWT token

@xavier-GitHub76
Copy link
Contributor Author

Result Not authorized with
JWT
image
and
CSRF
image

Result OK with just a cookie :
image

@Vinayselukar21
Copy link

@xavier-GitHub76 Thanks for the help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants