I am going to persist here, as its still not clear to me what has changed in the API.
Ranga documents that the API behavior has changed when trying to access /api/me with basic authentication. It has changed from a 401 to a 302. This also breaks the API tests (https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38) which also expects a 401. This is all fine, but could you provide a bit more context on the change in behavior and whether this is expected?
···
On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen morten@dhis2.org wrote:
Try and set the header “X-Requested-With” to “XMLHttpRequest”
–
–
Morten Olav Hansen
Senior Engineer, DHIS 2
University of Oslo
http://www.dhis2.org
On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com wrote:
Thanks Jason,
In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as follows:
curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me
You get a redirect loop which seems infinite until it terminates in error as follows:
HTTP/1.1 302
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 13:13:18 GMT
Content-Length: 0
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
HTTP/1.1 302
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 13:13:18 GMT
Content-Length: 0
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
HTTP/1.1 302
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 13:13:18 GMT
Content-Length: 0
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
HTTP/1.1 302
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 13:13:19 GMT
Content-Length: 0
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
HTTP/1.1 302
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 13:13:19 GMT
Content-Length: 0
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
curl: (47) SSLRead() return error -9806
This causes bug in applications that access the api for authentication and I can also see how this can be used to diminish system performance in general.
Regards,
Ranga
On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering jason.p.pickering@gmail.com wrote:
Just to try and make it a bit more clear Morten, I think this is the issue Rangarai is asking about is below:
In 2.29 and 2.28, an unauthorized username/password returns a 302.
curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me
HTTP/1.1 302
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 06:44:10 GMT
Content-Length: 0
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action
In 2.27, this same request returns a 401.
curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.27/api/me
HTTP/1.1 401
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 06:44:27 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 1071
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27; HttpOnly
WWW-Authenticate: Basic realm=“DHIS2”
Content-Language: en
On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire matavirer@gmail.com wrote:
Hi Morten,
The password is set wrong deliberately so as to get a 401 or other response. The problem is when you set the wrong password or username you get endless redirects from the API.
Regards,
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049
–
On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org wrote:
It should be district, not distric… but also people keep changing our internal passwords (our database resets every 24 hour)
–
Morten Olav Hansen
Senior Engineer, DHIS 2
University of Oslo
http://www.dhis2.org
On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire matavirer@gmail.com wrote:
By the way, its not just the error response code that is worrying, but also the loop of redirects that starts, this makes it difficult to handle the response for an http client. To see this loop of redirects, you can add -L to curl as below.
curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.28/api/me
I think this behaviour should be corrected as it may lead to unexpected behaviour of apps.
Regards
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp
On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire matavirer@gmail.com wrote:
Hi Devs,
I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.
When I run the following curl command:
curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me
I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.
I hope someone can assist.
Regards,
Ranga
Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049