Try and set the header "X-Requested-With" to "XMLHttpRequest"
-- Morten Olav Hansen Senior Engineer, DHIS 2 University of Oslo http://www.dhis2.org On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire <matavi...@gmail.com> wrote: > Thanks Jason, > > In addition, if you add the '-L' option to the 2.28 and 2.29 queries as > follows: > > curl -I -L -u admin:distric -H 'Accept: application/json' > https://play.dhis2.org/2.29/api/me > > You get a redirect loop which seems infinite until it terminates in error > as follows: > > HTTP/1.1 302 > > Server: nginx/1.4.6 (Ubuntu) > > Date: Sat, 21 Apr 2018 13:13:18 GMT > > Content-Length: 0 > > Connection: keep-alive > > X-XSS-Protection: 1; mode=block > > X-Frame-Options: SAMEORIGIN > > X-Content-Type-Options: nosniff > > Location: https://play.dhis2.org/2.29/dhis-web-commons/security/ > login.action > > > HTTP/1.1 302 > > Server: nginx/1.4.6 (Ubuntu) > > Date: Sat, 21 Apr 2018 13:13:18 GMT > > Content-Length: 0 > > Connection: keep-alive > > X-XSS-Protection: 1; mode=block > > X-Frame-Options: SAMEORIGIN > > X-Content-Type-Options: nosniff > > Location: https://play.dhis2.org/2.29/dhis-web-commons/security/ > login.action > > > HTTP/1.1 302 > > Server: nginx/1.4.6 (Ubuntu) > > Date: Sat, 21 Apr 2018 13:13:18 GMT > > Content-Length: 0 > > Connection: keep-alive > > X-XSS-Protection: 1; mode=block > > X-Frame-Options: SAMEORIGIN > > X-Content-Type-Options: nosniff > > Location: https://play.dhis2.org/2.29/dhis-web-commons/security/ > login.action > > > HTTP/1.1 302 > > Server: nginx/1.4.6 (Ubuntu) > > Date: Sat, 21 Apr 2018 13:13:19 GMT > > Content-Length: 0 > > Connection: keep-alive > > X-XSS-Protection: 1; mode=block > > X-Frame-Options: SAMEORIGIN > > X-Content-Type-Options: nosniff > > Location: https://play.dhis2.org/2.29/dhis-web-commons/security/ > login.action > > > HTTP/1.1 302 > > Server: nginx/1.4.6 (Ubuntu) > > Date: Sat, 21 Apr 2018 13:13:19 GMT > > Content-Length: 0 > > Connection: keep-alive > > X-XSS-Protection: 1; mode=block > > X-Frame-Options: SAMEORIGIN > > X-Content-Type-Options: nosniff > > Location: https://play.dhis2.org/2.29/dhis-web-commons/security/ > login.action > > > curl: (47) SSLRead() return error -9806 > > This causes bug in applications that access the api for authentication and > I can also see how this can be used to diminish system performance in > general. > > Regards, > > Ranga > > On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering < > jason.p.picker...@gmail.com> wrote: > >> Just to try and make it a bit more clear Morten, I think this is the >> issue Rangarai is asking about is below: >> >> In 2.29 and 2.28, an unauthorized username/password returns a 302. >> >> curl -I -u admin:distric -H 'Accept: application/json' >> https://play.dhis2.org/2.29/api/me >> HTTP/1.1 302 >> Server: nginx/1.4.6 (Ubuntu) >> Date: Sat, 21 Apr 2018 06:44:10 GMT >> Content-Length: 0 >> Connection: keep-alive >> X-XSS-Protection: 1; mode=block >> X-Frame-Options: SAMEORIGIN >> X-Content-Type-Options: nosniff >> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login. >> action >> >> >> In 2.27, this same request returns a 401. >> >> curl -I -u admin:distric -H 'Accept: application/json' >> https://play.dhis2.org/2.27/api/me >> HTTP/1.1 401 >> Server: nginx/1.4.6 (Ubuntu) >> Date: Sat, 21 Apr 2018 06:44:27 GMT >> Content-Type: text/html;charset=utf-8 >> Content-Length: 1071 >> Connection: keep-alive >> X-XSS-Protection: 1; mode=block >> X-Frame-Options: SAMEORIGIN >> X-Content-Type-Options: nosniff >> Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27; >> HttpOnly >> WWW-Authenticate: Basic realm="DHIS2" >> Content-Language: en >> >> >> On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire <matavi...@gmail.com >> > wrote: >> >>> Hi Morten, >>> >>> The password is set wrong deliberately so as to get a 401 or other >>> response. The problem is when you set the wrong password or username you >>> get endless redirects from the API. >>> >>> Regards, >>> >>> >>> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <mor...@dhis2.org> >>> wrote: >>> >>>> It should be district, not distric... but also people keep changing our >>>> internal passwords (our database resets every 24 hour) >>>> >>>> -- >>>> Morten Olav Hansen >>>> Senior Engineer, DHIS 2 >>>> University of Oslo >>>> http://www.dhis2.org >>>> >>>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire < >>>> matavi...@gmail.com> wrote: >>>> >>>>> By the way, its not just the error response code that is worrying, but >>>>> also the loop of redirects that starts, this makes it difficult to handle >>>>> the response for an http client. To see this loop of redirects, you can >>>>> add >>>>> -L to curl as below. >>>>> >>>>> curl -I -L -u admin:distric -H 'Accept: application/json' >>>>> https://play.dhis2.org/2.28/api/me >>>>> >>>>> I think this behaviour should be corrected as it may lead to >>>>> unexpected behaviour of apps. >>>>> >>>>> Regards >>>>> >>>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire < >>>>> matavi...@gmail.com> wrote: >>>>> >>>>>> Hi Devs, >>>>>> >>>>>> I am wondering whether the behaviour I am seeing is a bug or >>>>>> something to be expected due to some change. >>>>>> >>>>>> When I run the following curl command: >>>>>> >>>>>> curl -I -u admin:distric -H 'Accept: application/json' >>>>>> https://play.dhis2.org/2.29/api/me >>>>>> >>>>>> I get an HTTP 302 response. Note that I have deliberately set the >>>>>> password wrong so I can mock a 401 unauthorized response. I get the same >>>>>> response when I run the command on version 2.28. However, as expected, >>>>>> when >>>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response. >>>>>> >>>>>> I hope someone can assist. >>>>>> >>>>>> Regards, >>>>>> >>>>>> Ranga >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Mailing list: https://launchpad.net/~dhis2-devs >>>>> Post to : dhis2-devs@lists.launchpad.net >>>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>>>> More help : https://help.launchpad.net/ListHelp >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Mailing list: https://launchpad.net/~dhis2-devs >>> Post to : dhis2-devs@lists.launchpad.net >>> Unsubscribe : https://launchpad.net/~dhis2-devs >>> More help : https://help.launchpad.net/ListHelp >>> >>> >> >> >> -- >> Jason P. Pickering >> email: jason.p.picker...@gmail.com >> tel:+46764147049 >> > >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
