REST API - apiToken does not work

Hello!

I am working with OJS 3.1, and am trying to access the submissions via the REST API.

First, I can confirm that in a browser in which I am logged in, this works, giving me the submissions in json format:

https://our-test-url.org/ojs/index.php/our-test-journal/api/v1/submissions

In order to access the api from my program, I have generated a secret key in the ojs config file, and I have api keys for my admin user and my test users in the ojs profile. I have checked the box to allow external applications to access my instance with the API key, and saved. Then I tried this url in a browser in which I am not logged in:

https://our-test-url.org/ojs/index.php/our-test-journal/api/v1/submissions?apiToken=eyJ0eXAiOiJKhbGciOilBnJkJIUzI.Im51bGwi.loLZRKAJ1NiJ9lL7SaV-Lm2nV1QiLCJTRD--R3Ko49uRFeqx5m

With this, I get “404 Not Found”, just as I do when try without the apiToken. What am I doing wrong?

Thanks for any tips!

-Paul

Hey @paulwwarner

Does this post help? 404 Error using API - RESOLVED

Cheers,

Thanks for this tip, but unfortunately it did not help to generate a new token. I am still unable to access the API with the token. I can only access the api through the browser with a logged in user.

I am starting to look through the source code, and when I use the REST API, I see that my apiToken appears in the authorizationPolicy object, and that I am the user who has been identified. I get this when I am logged in, or when I am not logged in, but using my api key. When I am in the browser logged in, then the SubmissionHandler returns the decision 1 AUTHORIZATION_PERMIT, but when I try from a browser in which I am not logged in, but using apiToken=my_long_api_key_from_my_profile, then I get 2 AUTHORIZATION_DENY. This happens even though I am correctly identified, and I have abundant rights to view submissions.

Hi @paulwwarner,

Have you specified a salt value in your config.inc.php that is long enough? I believe it needs to be at least 128 bits (16 bytes).

Thanks,
Alec Smecher
Public Knowledge Project Team

Thanks, Alec (@asmecher), for the pointer. Sorry, it took a while to answer - I was on vacation over the holiday.

I now have a salt and an api key in the config file that are 137 bits long, have regenerated my apiToken in my profile, and have restarted apache. However, I am still getting “404 not found” when I try to access the rest api from a browser in which I am not logged in. My personalized log output shows that the app is correctly recognizing me from the apiToken. And when I am logged in, I can access the submissions perfectly. So the permissions are also fine.

One thing I notice in the user object that I print to the log: the apiKey is much different (and much shorter) than the one in my config file, and also much different than the apiToken I am using from my Profile. Is that normal? The setting for apiKeyEnabled is 1.

Thanks,
Paul

Hi @paulwwarner,

The code that’s supposed to be decoding the API token is in lib/pkp/classes/security/authorization/internal/ApiTokenDecodingMiddleware.inc.php. I’d suggest adding some error_log calls to that code to determine whether it’s being called, and if so, whether the token was successfully decoded.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher,

I checked ApiTokenDecodingMiddleware.inc.php, which checks the token and throws an exception if there is a problem. For my tests, it was called, it analysed the api token, generated the shorter version of the token that appears in my user object (using json_decode), and returned true.

In lib/pkp/classes/handler/PKPHandler.inc.php, I can see 4 huge Authorization Policies, ContextAccessPolicy, RestrictedSiteAccessPolicy, HttpsPolicy, and UserRolesRequiredPolicy (in which I could unfortunately not find any useful hints) and one User object, which in every case identified the correct user for the apiToken.

In ApiAuthorizationMiddleware.inc.php (next to ApiTokenDecodingMiddleware.inc.php in the directory), the authorization fails with the message:

user.authorization.restrictedSiteAccess

So, this must be the problem. On our site, we have set that only logged in users can view the site (from our Users and Roles, Site Access Options page):

Additional Site and Article Access Restrictions

checked: Users must be registered and log in to view the journal site.
checked: Users must be registered and log in to view open access content.

User Registration

Visitors can register a user account with the journal.

checked: The Journal Manager will register all user accounts. Editors or Section Editors may register user accounts for reviewers.

When I remove the requirements to login, the apiToken works. Juchu! The long search is over. Now I just need to figure out how to log in from my script.

Thanks very much for the patient help!

Best regards,
Paul

Hi @paulwwarner,

That was a tricky one

Glad you figured it out! Are you using that option long-term, or just while you’re e.g. testing and experimenting?

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher,

We are testing ojs as part of a project, https://www.amad.org/, to see if we can use the open peer review function to clear articles for ‘publication’ in our DSpace repository (this site is still in development). We want people to come to the repository, so we may keep the ojs peer-review site private for that reason. It will have only a small portion of the articles we would like to list on the site, anyway.

So, for my automated harvesting, I need to find a way to log in via my script. I have captured the OJSSID cookie, and the crsfToken, and am still not logging in with the script. I haven’t found any information about it - so if I cannot crack it today, I will post a new question to the list.

Best regards and again, many thanks,
Paul