API requests doesnt work when I am not logged in

sm2020 · March 9, 2020, 5:07pm

Hi,

According to the ojs API docs the api should work when sending request with apiToken, but what i get is unauthorised access when I am not logged in to OJS.
I have tried to regenerate the api token and the same, any ideas?
thnaks in advance

asmecher · March 9, 2020, 5:45pm

Hi @sm2020,

Have you set an api_key_secret in your config.inc.php?

Regards,
Alec Smecher
Public Knowledge Project Team

sm2020 · March 9, 2020, 6:17pm

Hi @asmecher,

yes, I did and regenerated the token few times, but didn’t help.

regards
Salman

asmecher · March 9, 2020, 6:38pm

Hi @sm2020,

Is the api_key_secret at least 32 characters? I believe JWT (which we rely upon for API support) has a minimum length requirement.

Regards,
Alec Smecher
Public Knowledge Project Team

sm2020 · March 9, 2020, 6:47pm

Yes, it is more than 32 chars.
I am using Postman for testing and this is the response for POST request:
{
“error”: “form.csrfInvalid”,
“errorMessage”: “The form could not be submitted. You may have been logged out. Please reload the page and try again.”
}

and for GET:
{
“error”: “user.authorization.accessDenied”,
“errorMessage”: “##user.authorization.accessDenied##”
}

Regards
Salman

asmecher · March 16, 2020, 11:28pm

Hi @sm2020,

Ah, the issue is that the CSRF check is still being executed even though you’re using an API request (which shouldn’t require CSRF checks). What exact version of OJS are you using?

Regards,
Alec Smecher
Public Knowledge Project Team

sm2020 · March 17, 2020, 1:03am

Hi @asmecher,

Thanks for replying.
I am using OJS 3.2.0

Thanks
Salman

asmecher · March 17, 2020, 7:07pm

Hi @sm2020,

Thanks – what specific API request are you trying? (Do you have a CURL one-liner handy?)

Regards,
Alec Smecher
Public Knowledge Project Team

sm2020 · March 17, 2020, 8:42pm

Here is the curl:

    curl -X POST \
      'http://(url here)/index.php/%2A/api/v1/contexts?apiToken=(token here)' \
      -H 'cache-control: no-cache' \
      -H 'content-type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW' \
      -H 'postman-token: (token here)' \
      -F name=test \
      -F abbreviation=test \
      -F description=test \
      -F urlPath=test

asmecher · March 17, 2020, 8:55pm

Hi @sm2020,

Whoops, I should’ve warned you to remove your tokens from the CURL command before posting! I’ve removed them myself – but please re-generate your API key immediately, and be careful not to post those publicly in the future.

Regards,
Alec Smecher
Public Knowledge Project Team

sm2020 · March 17, 2020, 8:59pm

Thanks for warning, I have already regenerated it, and the site is local not online, so should be fine.

asmecher · March 17, 2020, 9:02pm

Hi @sm2020,

Great, just making sure!

I’ve filed this at FormComponent subclasses, even when invoked via the API, require CSRF tokens · Issue #5633 · pkp/pkp-lib · GitHub – watch for an update there.

Regards,
Alec Smecher
Public Knowledge Project Team

sm2020 · March 17, 2020, 9:04pm

Many thanks @asmecher.