API requests doesnt work when I am not logged in

Hi,

According to the ojs API docs the api should work when sending request with apiToken, but what i get is unauthorised access when I am not logged in to OJS.
I have tried to regenerate the api token and the same, any ideas?
thnaks in advance

Hi @sm2020,

Have you set an api_key_secret in your config.inc.php?

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher,

yes, I did and regenerated the token few times, but didn’t help.

regards
Salman

Hi @sm2020,

Is the api_key_secret at least 32 characters? I believe JWT (which we rely upon for API support) has a minimum length requirement.

Regards,
Alec Smecher
Public Knowledge Project Team

Yes, it is more than 32 chars.
I am using Postman for testing and this is the response for POST request:
{
“error”: “form.csrfInvalid”,
“errorMessage”: “The form could not be submitted. You may have been logged out. Please reload the page and try again.”
}

and for GET:
{
“error”: “user.authorization.accessDenied”,
“errorMessage”: “##user.authorization.accessDenied##”
}

Regards
Salman

Hi @sm2020,

Ah, the issue is that the CSRF check is still being executed even though you’re using an API request (which shouldn’t require CSRF checks). What exact version of OJS are you using?

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher,

Thanks for replying.
I am using OJS 3.2.0

Thanks
Salman

Hi @sm2020,

Thanks – what specific API request are you trying? (Do you have a CURL one-liner handy?)

Regards,
Alec Smecher
Public Knowledge Project Team

Here is the curl:

    curl -X POST \
      'http://(url here)/index.php/%2A/api/v1/contexts?apiToken=(token here)' \
      -H 'cache-control: no-cache' \
      -H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
      -H 'postman-token: (token here)' \
      -F name=test \
      -F abbreviation=test \
      -F description=test \
      -F urlPath=test

Hi @sm2020,

Whoops, I should’ve warned you to remove your tokens from the CURL command before posting! I’ve removed them myself – but please re-generate your API key immediately, and be careful not to post those publicly in the future.

Regards,
Alec Smecher
Public Knowledge Project Team

Thanks for warning, I have already regenerated it, and the site is local not online, so should be fine.

Hi @sm2020,

Great, just making sure!

I’ve filed this at https://github.com/pkp/pkp-lib/issues/5633 – watch for an update there.

Regards,
Alec Smecher
Public Knowledge Project Team

Many thanks @asmecher.