Hi Morten, I am going to persist here, as its still not clear to me what has changed in the API.
Ranga documents that the API behavior has changed when trying to access /api/me with basic authentication. It has changed from a 401 to a 302. This also breaks the API tests ( https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38) which also expects a 401. This is all fine, but could you provide a bit more context on the change in behavior and whether this is expected? Regards, Jason On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen <mor...@dhis2.org> wrote: > Try and set the header "X-Requested-With" to "XMLHttpRequest" > > -- > Morten Olav Hansen > Senior Engineer, DHIS 2 > University of Oslo > http://www.dhis2.org > > On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire <matavi...@gmail.com> > wrote: > >> Thanks Jason, >> >> In addition, if you add the '-L' option to the 2.28 and 2.29 queries as >> follows: >> >> curl -I -L -u admin:distric -H 'Accept: application/json' >> https://play.dhis2.org/2.29/api/me >> >> You get a redirect loop which seems infinite until it terminates in error >> as follows: >> >> HTTP/1.1 302 >> >> Server: nginx/1.4.6 (Ubuntu) >> >> Date: Sat, 21 Apr 2018 13:13:18 GMT >> >> Content-Length: 0 >> >> Connection: keep-alive >> >> X-XSS-Protection: 1; mode=block >> >> X-Frame-Options: SAMEORIGIN >> >> X-Content-Type-Options: nosniff >> >> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login. >> action >> >> >> HTTP/1.1 302 >> >> Server: nginx/1.4.6 (Ubuntu) >> >> Date: Sat, 21 Apr 2018 13:13:18 GMT >> >> Content-Length: 0 >> >> Connection: keep-alive >> >> X-XSS-Protection: 1; mode=block >> >> X-Frame-Options: SAMEORIGIN >> >> X-Content-Type-Options: nosniff >> >> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login. >> action >> >> >> HTTP/1.1 302 >> >> Server: nginx/1.4.6 (Ubuntu) >> >> Date: Sat, 21 Apr 2018 13:13:18 GMT >> >> Content-Length: 0 >> >> Connection: keep-alive >> >> X-XSS-Protection: 1; mode=block >> >> X-Frame-Options: SAMEORIGIN >> >> X-Content-Type-Options: nosniff >> >> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login. >> action >> >> >> HTTP/1.1 302 >> >> Server: nginx/1.4.6 (Ubuntu) >> >> Date: Sat, 21 Apr 2018 13:13:19 GMT >> >> Content-Length: 0 >> >> Connection: keep-alive >> >> X-XSS-Protection: 1; mode=block >> >> X-Frame-Options: SAMEORIGIN >> >> X-Content-Type-Options: nosniff >> >> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login. >> action >> >> >> HTTP/1.1 302 >> >> Server: nginx/1.4.6 (Ubuntu) >> >> Date: Sat, 21 Apr 2018 13:13:19 GMT >> >> Content-Length: 0 >> >> Connection: keep-alive >> >> X-XSS-Protection: 1; mode=block >> >> X-Frame-Options: SAMEORIGIN >> >> X-Content-Type-Options: nosniff >> >> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login. >> action >> >> >> curl: (47) SSLRead() return error -9806 >> >> This causes bug in applications that access the api for authentication >> and I can also see how this can be used to diminish system performance in >> general. >> >> Regards, >> >> Ranga >> >> On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering < >> jason.p.picker...@gmail.com> wrote: >> >>> Just to try and make it a bit more clear Morten, I think this is the >>> issue Rangarai is asking about is below: >>> >>> In 2.29 and 2.28, an unauthorized username/password returns a 302. >>> >>> curl -I -u admin:distric -H 'Accept: application/json' >>> https://play.dhis2.org/2.29/api/me >>> HTTP/1.1 302 >>> Server: nginx/1.4.6 (Ubuntu) >>> Date: Sat, 21 Apr 2018 06:44:10 GMT >>> Content-Length: 0 >>> Connection: keep-alive >>> X-XSS-Protection: 1; mode=block >>> X-Frame-Options: SAMEORIGIN >>> X-Content-Type-Options: nosniff >>> Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login. >>> action >>> >>> >>> In 2.27, this same request returns a 401. >>> >>> curl -I -u admin:distric -H 'Accept: application/json' >>> https://play.dhis2.org/2.27/api/me >>> HTTP/1.1 401 >>> Server: nginx/1.4.6 (Ubuntu) >>> Date: Sat, 21 Apr 2018 06:44:27 GMT >>> Content-Type: text/html;charset=utf-8 >>> Content-Length: 1071 >>> Connection: keep-alive >>> X-XSS-Protection: 1; mode=block >>> X-Frame-Options: SAMEORIGIN >>> X-Content-Type-Options: nosniff >>> Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27; >>> HttpOnly >>> WWW-Authenticate: Basic realm="DHIS2" >>> Content-Language: en >>> >>> >>> On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire < >>> matavi...@gmail.com> wrote: >>> >>>> Hi Morten, >>>> >>>> The password is set wrong deliberately so as to get a 401 or other >>>> response. The problem is when you set the wrong password or username you >>>> get endless redirects from the API. >>>> >>>> Regards, >>>> >>>> >>>> On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <mor...@dhis2.org> >>>> wrote: >>>> >>>>> It should be district, not distric... but also people keep changing >>>>> our internal passwords (our database resets every 24 hour) >>>>> >>>>> -- >>>>> Morten Olav Hansen >>>>> Senior Engineer, DHIS 2 >>>>> University of Oslo >>>>> http://www.dhis2.org >>>>> >>>>> On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire < >>>>> matavi...@gmail.com> wrote: >>>>> >>>>>> By the way, its not just the error response code that is worrying, >>>>>> but also the loop of redirects that starts, this makes it difficult to >>>>>> handle the response for an http client. To see this loop of redirects, >>>>>> you >>>>>> can add -L to curl as below. >>>>>> >>>>>> curl -I -L -u admin:distric -H 'Accept: application/json' >>>>>> https://play.dhis2.org/2.28/api/me >>>>>> >>>>>> I think this behaviour should be corrected as it may lead to >>>>>> unexpected behaviour of apps. >>>>>> >>>>>> Regards >>>>>> >>>>>> On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire < >>>>>> matavi...@gmail.com> wrote: >>>>>> >>>>>>> Hi Devs, >>>>>>> >>>>>>> I am wondering whether the behaviour I am seeing is a bug or >>>>>>> something to be expected due to some change. >>>>>>> >>>>>>> When I run the following curl command: >>>>>>> >>>>>>> curl -I -u admin:distric -H 'Accept: application/json' >>>>>>> https://play.dhis2.org/2.29/api/me >>>>>>> >>>>>>> I get an HTTP 302 response. Note that I have deliberately set the >>>>>>> password wrong so I can mock a 401 unauthorized response. I get the same >>>>>>> response when I run the command on version 2.28. However, as expected, >>>>>>> when >>>>>>> I run it on 2.27, 2.26 etc I get a 401 HTTP response. >>>>>>> >>>>>>> I hope someone can assist. >>>>>>> >>>>>>> Regards, >>>>>>> >>>>>>> Ranga >>>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Mailing list: https://launchpad.net/~dhis2-devs >>>>>> Post to : dhis2-devs@lists.launchpad.net >>>>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>>>>> More help : https://help.launchpad.net/ListHelp >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Mailing list: https://launchpad.net/~dhis2-devs >>>> Post to : dhis2-devs@lists.launchpad.net >>>> Unsubscribe : https://launchpad.net/~dhis2-devs >>>> More help : https://help.launchpad.net/ListHelp >>>> >>>> >>> >>> >>> -- >>> Jason P. Pickering >>> email: jason.p.picker...@gmail.com >>> tel:+46764147049 >>> >> >> > -- Jason P. Pickering email: jason.p.picker...@gmail.com tel:+46764147049
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp
