Hi,
According to the ojs API docs the api should work when sending request with apiToken, but what i get is unauthorised access when I am not logged in to OJS.
I have tried to regenerate the api token and the same, any ideas?
thnaks in advance
Hi,
According to the ojs API docs the api should work when sending request with apiToken, but what i get is unauthorised access when I am not logged in to OJS.
I have tried to regenerate the api token and the same, any ideas?
thnaks in advance
Hi @sm2020,
Have you set an api_key_secret
in your config.inc.php
?
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @sm2020,
Is the api_key_secret
at least 32 characters? I believe JWT (which we rely upon for API support) has a minimum length requirement.
Regards,
Alec Smecher
Public Knowledge Project Team
Yes, it is more than 32 chars.
I am using Postman for testing and this is the response for POST request:
{
“error”: “form.csrfInvalid”,
“errorMessage”: “The form could not be submitted. You may have been logged out. Please reload the page and try again.”
}
and for GET:
{
“error”: “user.authorization.accessDenied”,
“errorMessage”: “##user.authorization.accessDenied##”
}
Regards
Salman
Hi @sm2020,
Ah, the issue is that the CSRF check is still being executed even though you’re using an API request (which shouldn’t require CSRF checks). What exact version of OJS are you using?
Regards,
Alec Smecher
Public Knowledge Project Team
Hi @sm2020,
Thanks – what specific API request are you trying? (Do you have a CURL one-liner handy?)
Regards,
Alec Smecher
Public Knowledge Project Team
Here is the curl:
curl -X POST \
'http://(url here)/index.php/%2A/api/v1/contexts?apiToken=(token here)' \
-H 'cache-control: no-cache' \
-H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
-H 'postman-token: (token here)' \
-F name=test \
-F abbreviation=test \
-F description=test \
-F urlPath=test
Hi @sm2020,
Whoops, I should’ve warned you to remove your tokens from the CURL command before posting! I’ve removed them myself – but please re-generate your API key immediately, and be careful not to post those publicly in the future.
Regards,
Alec Smecher
Public Knowledge Project Team
Thanks for warning, I have already regenerated it, and the site is local not online, so should be fine.
Hi @sm2020,
Great, just making sure!
I’ve filed this at FormComponent subclasses, even when invoked via the API, require CSRF tokens · Issue #5633 · pkp/pkp-lib · GitHub – watch for an update there.
Regards,
Alec Smecher
Public Knowledge Project Team
Many thanks @asmecher.