API not showing 401 Unauthorized error

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

By the way, its not just the error response code that is worrying, but also the loop of redirects that starts, this makes it difficult to handle the response for an http client. To see this loop of redirects, you can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to unexpected behaviour of apps.

Regards

···

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

It should be district, not distric… but also people keep changing our internal passwords (our database resets every 24 hour)

···

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying, but also the loop of redirects that starts, this makes it difficult to handle the response for an http client. To see this loop of redirects, you can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to unexpected behaviour of apps.

Regards


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other response. The problem is when you set the wrong password or username you get endless redirects from the API.

Regards,

···

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org wrote:

It should be district, not distric… but also people keep changing our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying, but also the loop of redirects that starts, this makes it difficult to handle the response for an http client. To see this loop of redirects, you can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to unexpected behaviour of apps.

Regards


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

Just to try and make it a bit more clear Morten, I think this is the issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

···

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other response. The problem is when you set the wrong password or username you get endless redirects from the API.

Regards,


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org wrote:

It should be district, not distric… but also people keep changing our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying, but also the loop of redirects that starts, this makes it difficult to handle the response for an http client. To see this loop of redirects, you can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to unexpected behaviour of apps.

Regards


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

···

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27; HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other response. The problem is when you set the wrong password or username you get endless redirects from the API.

Regards,


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org wrote:

It should be district, not distric… but also people keep changing our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying, but also the loop of redirects that starts, this makes it difficult to handle the response for an http client. To see this loop of redirects, you can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to unexpected behaviour of apps.

Regards


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

Try and set the header “X-Requested-With” to “XMLHttpRequest”

···

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication and I can also see how this can be used to diminish system performance in general.

Regards,

Ranga

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27; HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other response. The problem is when you set the wrong password or username you get endless redirects from the API.

Regards,


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org wrote:

It should be district, not distric… but also people keep changing our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying, but also the loop of redirects that starts, this makes it difficult to handle the response for an http client. To see this loop of redirects, you can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to unexpected behaviour of apps.

Regards


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

Hi Morten,

I am going to persist here, as its still not clear to me what has changed in the API.

Ranga documents that the API behavior has changed when trying to access /api/me with basic authentication. It has changed from a 401 to a 302. This also breaks the API tests (https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38) which also expects a 401. This is all fine, but could you provide a bit more context on the change in behavior and whether this is expected?

Regards,

Jason

···

On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen morten@dhis2.org wrote:

Try and set the header “X-Requested-With” to “XMLHttpRequest”

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication and I can also see how this can be used to diminish system performance in general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location: https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27; HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other response. The problem is when you set the wrong password or username you get endless redirects from the API.

Regards,


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org wrote:

It should be district, not distric… but also people keep changing our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying, but also the loop of redirects that starts, this makes it difficult to handle the response for an http client. To see this loop of redirects, you can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to unexpected behaviour of apps.

Regards


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’ https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the password wrong so I can mock a 401 unauthorized response. I get the same response when I run the command on version 2.28. However, as expected, when I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Hi Jason

I am not sure that this is all fine. It looks to me like this is a
bug which has slipped in and that the original 401 response is the
correct expected behaviour. API users using pre-emptive basic
authentication have no good reason to be redirected to the login page
with invalid credentials.

Regards
Bob

···

On 23 April 2018 at 09:46, Jason Pickering <jason.p.pickering@gmail.com> wrote:

Hi Morten,

I am going to persist here, as its still not clear to me what has changed in
the API.

Ranga documents that the API behavior has changed when trying to access
/api/me with basic authentication. It has changed from a 401 to a 302. This
also breaks the API tests
(https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)
which also expects a 401. This is all fine, but could you provide a bit more
context on the change in behavior and whether this is expected?

Regards,
Jason

On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen <morten@dhis2.org> > wrote:

Try and set the header "X-Requested-With" to "XMLHttpRequest"

--
Morten Olav Hansen
Senior Engineer, DHIS 2
University of Oslo
http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire <matavirer@gmail.com> >> wrote:

Thanks Jason,

In addition, if you add the '-L' option to the 2.28 and 2.29 queries as
follows:

curl -I -L -u admin:distric -H 'Accept: application/json'
https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error
as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:
https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:
https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:
https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:
https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:
https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication
and I can also see how this can be used to diminish system performance in
general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering >>> <jason.p.pickering@gmail.com> wrote:

Just to try and make it a bit more clear Morten, I think this is the
issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H 'Accept: application/json'
https://play.dhis2.org/2.29/api/me
HTTP/1.1 302
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 06:44:10 GMT
Content-Length: 0
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Location:
https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H 'Accept: application/json'
https://play.dhis2.org/2.27/api/me
HTTP/1.1 401
Server: nginx/1.4.6 (Ubuntu)
Date: Sat, 21 Apr 2018 06:44:27 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 1071
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;
HttpOnly
WWW-Authenticate: Basic realm="DHIS2"
Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire >>>> <matavirer@gmail.com> wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other
response. The problem is when you set the wrong password or username you get
endless redirects from the API.

Regards,

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen <morten@dhis2.org> >>>>> wrote:

It should be district, not distric... but also people keep changing
our internal passwords (our database resets every 24 hour)

--
Morten Olav Hansen
Senior Engineer, DHIS 2
University of Oslo
http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire >>>>>> <matavirer@gmail.com> wrote:

By the way, its not just the error response code that is worrying,
but also the loop of redirects that starts, this makes it difficult to
handle the response for an http client. To see this loop of redirects, you
can add -L to curl as below.

curl -I -L -u admin:distric -H 'Accept: application/json'
https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to
unexpected behaviour of apps.

Regards

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire >>>>>>> <matavirer@gmail.com> wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or
something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H 'Accept: application/json'
https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the
password wrong so I can mock a 401 unauthorized response. I get the same
response when I run the command on version 2.28. However, as expected, when
I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

--
Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

--
Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

Hi Bob,

Yeah,I am not sure its fine either but what I am trying to get information on is what the expected behavior actually should be. Seems it should not be this though from what you and Ranga are saying. Just to exclude any possible effect from the reverse proxy, its the same against a localhost:

  • Trying 127.0.0.1…

  • TCP_NODELAY set

  • Connected to localhost (127.0.0.1) port 8080 (#0)

  • Server auth using Basic with user ‘admin’

GET /api/me HTTP/1.1

Host: localhost:8080

Authorization: Basic YWRtaW46ZGlzdHJpY3Q=

User-Agent: curl/7.53.1

Accept: /

< HTTP/1.1 302 Found

< Server: Apache-Coyote/1.1

< X-XSS-Protection: 1; mode=block

< X-Frame-Options: SAMEORIGIN

< X-Content-Type-Options: nosniff

< Location: http://localhost/dhis-web-commons/security/login.action

< Content-Length: 0

< Date: Mon, 23 Apr 2018 12:15:22 GMT

···

On Mon, Apr 23, 2018 at 11:36 AM, Bob Jolliffe bobjolliffe@gmail.com wrote:

Hi Jason

I am not sure that this is all fine. It looks to me like this is a

bug which has slipped in and that the original 401 response is the

correct expected behaviour. API users using pre-emptive basic

authentication have no good reason to be redirected to the login page

with invalid credentials.

Regards

Bob

On 23 April 2018 at 09:46, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Morten,

I am going to persist here, as its still not clear to me what has changed in

the API.

Ranga documents that the API behavior has changed when trying to access

/api/me with basic authentication. It has changed from a 401 to a 302. This

also breaks the API tests

(https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)

which also expects a 401. This is all fine, but could you provide a bit more

context on the change in behavior and whether this is expected?

Regards,

Jason

On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen morten@dhis2.org

wrote:

Try and set the header “X-Requested-With” to “XMLHttpRequest”

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com

wrote:

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as

follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error

as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication

and I can also see how this can be used to diminish system performance in

general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering

jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the

issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;

HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other

response. The problem is when you set the wrong password or username you get

endless redirects from the API.

Regards,

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org

wrote:

It should be district, not distric… but also people keep changing

our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying,

but also the loop of redirects that starts, this makes it difficult to

handle the response for an http client. To see this loop of redirects, you

can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to

unexpected behaviour of apps.

Regards

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or

something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the

password wrong so I can mock a 401 unauthorized response. I get the same

response when I run the command on version 2.28. However, as expected, when

I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

I’m not sure exactly what you mean Jason, this has been like this always? Are you saying this behavior has changed? because it should not have. To make the browser properly redirect to the login page, it needs to send a 302 to forward it.

In 2.28 we introduced the X-Requested-With header which tells DHIS2 that this request is done by XHR (and not a browser), we can’t change the default to 401 as it would break things badly.

···

On Mon, Apr 23, 2018 at 7:17 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Bob,

Yeah,I am not sure its fine either but what I am trying to get information on is what the expected behavior actually should be. Seems it should not be this though from what you and Ranga are saying. Just to exclude any possible effect from the reverse proxy, its the same against a localhost:

  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to localhost (127.0.0.1) port 8080 (#0)
  • Server auth using Basic with user ‘admin’

GET /api/me HTTP/1.1

Host: localhost:8080

Authorization: Basic YWRtaW46ZGlzdHJpY3Q=

User-Agent: curl/7.53.1

Accept: /

< HTTP/1.1 302 Found

< Server: Apache-Coyote/1.1

< X-XSS-Protection: 1; mode=block

< X-Frame-Options: SAMEORIGIN

< X-Content-Type-Options: nosniff

< Location: http://localhost/dhis-web-commons/security/login.action

< Content-Length: 0

< Date: Mon, 23 Apr 2018 12:15:22 GMT

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Mon, Apr 23, 2018 at 11:36 AM, Bob Jolliffe bobjolliffe@gmail.com wrote:

Hi Jason

I am not sure that this is all fine. It looks to me like this is a

bug which has slipped in and that the original 401 response is the

correct expected behaviour. API users using pre-emptive basic

authentication have no good reason to be redirected to the login page

with invalid credentials.

Regards

Bob

On 23 April 2018 at 09:46, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Morten,

I am going to persist here, as its still not clear to me what has changed in

the API.

Ranga documents that the API behavior has changed when trying to access

/api/me with basic authentication. It has changed from a 401 to a 302. This

also breaks the API tests

(https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)

which also expects a 401. This is all fine, but could you provide a bit more

context on the change in behavior and whether this is expected?

Regards,

Jason

On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen morten@dhis2.org

wrote:

Try and set the header “X-Requested-With” to “XMLHttpRequest”

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com

wrote:

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as

follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error

as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication

and I can also see how this can be used to diminish system performance in

general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering

jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the

issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;

HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other

response. The problem is when you set the wrong password or username you get

endless redirects from the API.

Regards,

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org

wrote:

It should be district, not distric… but also people keep changing

our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying,

but also the loop of redirects that starts, this makes it difficult to

handle the response for an http client. To see this loop of redirects, you

can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to

unexpected behaviour of apps.

Regards

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or

something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the

password wrong so I can mock a 401 unauthorized response. I get the same

response when I run the command on version 2.28. However, as expected, when

I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

In what version did this return a 401? because that sounds like a bug to me… if you give me the version number, I can have a look

···

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Tue, Apr 24, 2018 at 9:38 AM, Morten Olav Hansen morten@dhis2.org wrote:

I’m not sure exactly what you mean Jason, this has been like this always? Are you saying this behavior has changed? because it should not have. To make the browser properly redirect to the login page, it needs to send a 302 to forward it.

In 2.28 we introduced the X-Requested-With header which tells DHIS2 that this request is done by XHR (and not a browser), we can’t change the default to 401 as it would break things badly.

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Mon, Apr 23, 2018 at 7:17 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Bob,

Yeah,I am not sure its fine either but what I am trying to get information on is what the expected behavior actually should be. Seems it should not be this though from what you and Ranga are saying. Just to exclude any possible effect from the reverse proxy, its the same against a localhost:

  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to localhost (127.0.0.1) port 8080 (#0)
  • Server auth using Basic with user ‘admin’

GET /api/me HTTP/1.1

Host: localhost:8080

Authorization: Basic YWRtaW46ZGlzdHJpY3Q=

User-Agent: curl/7.53.1

Accept: /

< HTTP/1.1 302 Found

< Server: Apache-Coyote/1.1

< X-XSS-Protection: 1; mode=block

< X-Frame-Options: SAMEORIGIN

< X-Content-Type-Options: nosniff

< Location: http://localhost/dhis-web-commons/security/login.action

< Content-Length: 0

< Date: Mon, 23 Apr 2018 12:15:22 GMT

On Mon, Apr 23, 2018 at 11:36 AM, Bob Jolliffe bobjolliffe@gmail.com wrote:

Hi Jason

I am not sure that this is all fine. It looks to me like this is a

bug which has slipped in and that the original 401 response is the

correct expected behaviour. API users using pre-emptive basic

authentication have no good reason to be redirected to the login page

with invalid credentials.

Regards

Bob

On 23 April 2018 at 09:46, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Morten,

I am going to persist here, as its still not clear to me what has changed in

the API.

Ranga documents that the API behavior has changed when trying to access

/api/me with basic authentication. It has changed from a 401 to a 302. This

also breaks the API tests

(https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)

which also expects a 401. This is all fine, but could you provide a bit more

context on the change in behavior and whether this is expected?

Regards,

Jason

On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen morten@dhis2.org

wrote:

Try and set the header “X-Requested-With” to “XMLHttpRequest”

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com

wrote:

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as

follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error

as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication

and I can also see how this can be used to diminish system performance in

general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering

jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the

issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;

HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other

response. The problem is when you set the wrong password or username you get

endless redirects from the API.

Regards,

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org

wrote:

It should be district, not distric… but also people keep changing

our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying,

but also the loop of redirects that starts, this makes it difficult to

handle the response for an http client. To see this loop of redirects, you

can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to

unexpected behaviour of apps.

Regards

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or

something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the

password wrong so I can mock a 401 unauthorized response. I get the same

response when I run the command on version 2.28. However, as expected, when

I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Hi Morten,
All of the information is provided in this thread. What both Ranga and I are saying is that when authenticating with basic authentication, and the authentication is not successful the following behavior is seen

  1. In versions below 2.27 and below, a 401 response is sent from the server.

  2. In versions 2.28 and above, a 302 response is sent from the server.

The API tests were developed against 2.27, and it was a 401 response sent by the server with basic authentication was not successful.

https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38

···

Regards,

Jason

On Tue, Apr 24, 2018 at 4:39 AM, Morten Olav Hansen morten@dhis2.org wrote:

In what version did this return a 401? because that sounds like a bug to me… if you give me the version number, I can have a look

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Tue, Apr 24, 2018 at 9:38 AM, Morten Olav Hansen morten@dhis2.org wrote:

I’m not sure exactly what you mean Jason, this has been like this always? Are you saying this behavior has changed? because it should not have. To make the browser properly redirect to the login page, it needs to send a 302 to forward it.

In 2.28 we introduced the X-Requested-With header which tells DHIS2 that this request is done by XHR (and not a browser), we can’t change the default to 401 as it would break things badly.

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Mon, Apr 23, 2018 at 7:17 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Bob,

Yeah,I am not sure its fine either but what I am trying to get information on is what the expected behavior actually should be. Seems it should not be this though from what you and Ranga are saying. Just to exclude any possible effect from the reverse proxy, its the same against a localhost:

  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to localhost (127.0.0.1) port 8080 (#0)
  • Server auth using Basic with user ‘admin’

GET /api/me HTTP/1.1

Host: localhost:8080

Authorization: Basic YWRtaW46ZGlzdHJpY3Q=

User-Agent: curl/7.53.1

Accept: /

< HTTP/1.1 302 Found

< Server: Apache-Coyote/1.1

< X-XSS-Protection: 1; mode=block

< X-Frame-Options: SAMEORIGIN

< X-Content-Type-Options: nosniff

< Location: http://localhost/dhis-web-commons/security/login.action

< Content-Length: 0

< Date: Mon, 23 Apr 2018 12:15:22 GMT

On Mon, Apr 23, 2018 at 11:36 AM, Bob Jolliffe bobjolliffe@gmail.com wrote:

Hi Jason

I am not sure that this is all fine. It looks to me like this is a

bug which has slipped in and that the original 401 response is the

correct expected behaviour. API users using pre-emptive basic

authentication have no good reason to be redirected to the login page

with invalid credentials.

Regards

Bob

On 23 April 2018 at 09:46, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Morten,

I am going to persist here, as its still not clear to me what has changed in

the API.

Ranga documents that the API behavior has changed when trying to access

/api/me with basic authentication. It has changed from a 401 to a 302. This

also breaks the API tests

(https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)

which also expects a 401. This is all fine, but could you provide a bit more

context on the change in behavior and whether this is expected?

Regards,

Jason

On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen morten@dhis2.org

wrote:

Try and set the header “X-Requested-With” to “XMLHttpRequest”

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com

wrote:

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as

follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error

as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication

and I can also see how this can be used to diminish system performance in

general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering

jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the

issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;

HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other

response. The problem is when you set the wrong password or username you get

endless redirects from the API.

Regards,

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org

wrote:

It should be district, not distric… but also people keep changing

our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying,

but also the loop of redirects that starts, this makes it difficult to

handle the response for an http client. To see this loop of redirects, you

can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to

unexpected behaviour of apps.

Regards

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or

something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the

password wrong so I can mock a 401 unauthorized response. I get the same

response when I run the command on version 2.28. However, as expected, when

I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

I think maybe its related to openldap, there was some issues with our ldap configuration a while back

Please file a jira issue for it, and I will have Viet have a look at it (at least we can confirm the reason)

···

On Tue, Apr 24, 2018 at 12:21 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Morten,
All of the information is provided in this thread. What both Ranga and I are saying is that when authenticating with basic authentication, and the authentication is not successful the following behavior is seen

  1. In versions below 2.27 and below, a 401 response is sent from the server.
  1. In versions 2.28 and above, a 302 response is sent from the server.

The API tests were developed against 2.27, and it was a 401 response sent by the server with basic authentication was not successful.

https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

Regards,

Jason

On Tue, Apr 24, 2018 at 4:39 AM, Morten Olav Hansen morten@dhis2.org wrote:

In what version did this return a 401? because that sounds like a bug to me… if you give me the version number, I can have a look


Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Tue, Apr 24, 2018 at 9:38 AM, Morten Olav Hansen morten@dhis2.org wrote:

I’m not sure exactly what you mean Jason, this has been like this always? Are you saying this behavior has changed? because it should not have. To make the browser properly redirect to the login page, it needs to send a 302 to forward it.

In 2.28 we introduced the X-Requested-With header which tells DHIS2 that this request is done by XHR (and not a browser), we can’t change the default to 401 as it would break things badly.

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Mon, Apr 23, 2018 at 7:17 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Bob,

Yeah,I am not sure its fine either but what I am trying to get information on is what the expected behavior actually should be. Seems it should not be this though from what you and Ranga are saying. Just to exclude any possible effect from the reverse proxy, its the same against a localhost:

  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to localhost (127.0.0.1) port 8080 (#0)
  • Server auth using Basic with user ‘admin’

GET /api/me HTTP/1.1

Host: localhost:8080

Authorization: Basic YWRtaW46ZGlzdHJpY3Q=

User-Agent: curl/7.53.1

Accept: /

< HTTP/1.1 302 Found

< Server: Apache-Coyote/1.1

< X-XSS-Protection: 1; mode=block

< X-Frame-Options: SAMEORIGIN

< X-Content-Type-Options: nosniff

< Location: http://localhost/dhis-web-commons/security/login.action

< Content-Length: 0

< Date: Mon, 23 Apr 2018 12:15:22 GMT

On Mon, Apr 23, 2018 at 11:36 AM, Bob Jolliffe bobjolliffe@gmail.com wrote:

Hi Jason

I am not sure that this is all fine. It looks to me like this is a

bug which has slipped in and that the original 401 response is the

correct expected behaviour. API users using pre-emptive basic

authentication have no good reason to be redirected to the login page

with invalid credentials.

Regards

Bob

On 23 April 2018 at 09:46, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Morten,

I am going to persist here, as its still not clear to me what has changed in

the API.

Ranga documents that the API behavior has changed when trying to access

/api/me with basic authentication. It has changed from a 401 to a 302. This

also breaks the API tests

(https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)

which also expects a 401. This is all fine, but could you provide a bit more

context on the change in behavior and whether this is expected?

Regards,

Jason

On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen morten@dhis2.org

wrote:

Try and set the header “X-Requested-With” to “XMLHttpRequest”

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com

wrote:

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as

follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error

as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication

and I can also see how this can be used to diminish system performance in

general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering

jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the

issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;

HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other

response. The problem is when you set the wrong password or username you get

endless redirects from the API.

Regards,

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org

wrote:

It should be district, not distric… but also people keep changing

our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying,

but also the loop of redirects that starts, this makes it difficult to

handle the response for an http client. To see this loop of redirects, you

can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to

unexpected behaviour of apps.

Regards

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or

something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the

password wrong so I can mock a 401 unauthorized response. I get the same

response when I run the command on version 2.28. However, as expected, when

I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

It’s also documented here so if this behavior really has changed and this is not a bug, we need to change the docs as well:

https://docs.dhis2.org/master/en/developer/html/webapi_system_resource.html#d0e12069

JIRA issue here:

https://jira.dhis2.org/browse/DHIS2-3519

···

On Tue, Apr 24, 2018 at 10:05 AM, Morten Olav Hansen morten@dhis2.org wrote:

I think maybe its related to openldap, there was some issues with our ldap configuration a while back

Please file a jira issue for it, and I will have Viet have a look at it (at least we can confirm the reason)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Tue, Apr 24, 2018 at 12:21 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Morten,
All of the information is provided in this thread. What both Ranga and I are saying is that when authenticating with basic authentication, and the authentication is not successful the following behavior is seen

  1. In versions below 2.27 and below, a 401 response is sent from the server.
  1. In versions 2.28 and above, a 302 response is sent from the server.

The API tests were developed against 2.27, and it was a 401 response sent by the server with basic authentication was not successful.

https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38

Regards,

Jason

On Tue, Apr 24, 2018 at 4:39 AM, Morten Olav Hansen morten@dhis2.org wrote:

In what version did this return a 401? because that sounds like a bug to me… if you give me the version number, I can have a look


Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Tue, Apr 24, 2018 at 9:38 AM, Morten Olav Hansen morten@dhis2.org wrote:

I’m not sure exactly what you mean Jason, this has been like this always? Are you saying this behavior has changed? because it should not have. To make the browser properly redirect to the login page, it needs to send a 302 to forward it.

In 2.28 we introduced the X-Requested-With header which tells DHIS2 that this request is done by XHR (and not a browser), we can’t change the default to 401 as it would break things badly.

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Mon, Apr 23, 2018 at 7:17 PM, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Bob,

Yeah,I am not sure its fine either but what I am trying to get information on is what the expected behavior actually should be. Seems it should not be this though from what you and Ranga are saying. Just to exclude any possible effect from the reverse proxy, its the same against a localhost:

  • Trying 127.0.0.1…
  • TCP_NODELAY set
  • Connected to localhost (127.0.0.1) port 8080 (#0)
  • Server auth using Basic with user ‘admin’

GET /api/me HTTP/1.1

Host: localhost:8080

Authorization: Basic YWRtaW46ZGlzdHJpY3Q=

User-Agent: curl/7.53.1

Accept: /

< HTTP/1.1 302 Found

< Server: Apache-Coyote/1.1

< X-XSS-Protection: 1; mode=block

< X-Frame-Options: SAMEORIGIN

< X-Content-Type-Options: nosniff

< Location: http://localhost/dhis-web-commons/security/login.action

< Content-Length: 0

< Date: Mon, 23 Apr 2018 12:15:22 GMT

On Mon, Apr 23, 2018 at 11:36 AM, Bob Jolliffe bobjolliffe@gmail.com wrote:

Hi Jason

I am not sure that this is all fine. It looks to me like this is a

bug which has slipped in and that the original 401 response is the

correct expected behaviour. API users using pre-emptive basic

authentication have no good reason to be redirected to the login page

with invalid credentials.

Regards

Bob

On 23 April 2018 at 09:46, Jason Pickering jason.p.pickering@gmail.com wrote:

Hi Morten,

I am going to persist here, as its still not clear to me what has changed in

the API.

Ranga documents that the API behavior has changed when trying to access

/api/me with basic authentication. It has changed from a 401 to a 302. This

also breaks the API tests

(https://github.com/dhis2/api-tests/blob/master/features/step_definitions/authentication.js#L38)

which also expects a 401. This is all fine, but could you provide a bit more

context on the change in behavior and whether this is expected?

Regards,

Jason

On Mon, Apr 23, 2018 at 2:53 AM, Morten Olav Hansen morten@dhis2.org

wrote:

Try and set the header “X-Requested-With” to “XMLHttpRequest”

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Sat, Apr 21, 2018 at 8:19 PM, Rangarirai Matavire matavirer@gmail.com

wrote:

Thanks Jason,

In addition, if you add the ‘-L’ option to the 2.28 and 2.29 queries as

follows:

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

You get a redirect loop which seems infinite until it terminates in error

as follows:

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:18 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 13:13:19 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

curl: (47) SSLRead() return error -9806

This causes bug in applications that access the api for authentication

and I can also see how this can be used to diminish system performance in

general.

Regards,

Ranga

On Sat, Apr 21, 2018 at 8:51 AM, Jason Pickering

jason.p.pickering@gmail.com wrote:

Just to try and make it a bit more clear Morten, I think this is the

issue Rangarai is asking about is below:

In 2.29 and 2.28, an unauthorized username/password returns a 302.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

HTTP/1.1 302

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:10 GMT

Content-Length: 0

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Location:

https://play.dhis2.org/2.29/dhis-web-commons/security/login.action

In 2.27, this same request returns a 401.

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.27/api/me

HTTP/1.1 401

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 21 Apr 2018 06:44:27 GMT

Content-Type: text/html;charset=utf-8

Content-Length: 1071

Connection: keep-alive

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options: nosniff

Set-Cookie: JSESSIONID=05596EBFC26A7C1843D298E98619C7FB; Path=/2.27;

HttpOnly

WWW-Authenticate: Basic realm=“DHIS2”

Content-Language: en

On Fri, Apr 20, 2018 at 1:40 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Morten,

The password is set wrong deliberately so as to get a 401 or other

response. The problem is when you set the wrong password or username you get

endless redirects from the API.

Regards,

On Fri, Apr 20, 2018 at 1:24 PM, Morten Olav Hansen morten@dhis2.org

wrote:

It should be district, not distric… but also people keep changing

our internal passwords (our database resets every 24 hour)

Morten Olav Hansen

Senior Engineer, DHIS 2

University of Oslo

http://www.dhis2.org

On Fri, Apr 20, 2018 at 12:09 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

By the way, its not just the error response code that is worrying,

but also the loop of redirects that starts, this makes it difficult to

handle the response for an http client. To see this loop of redirects, you

can add -L to curl as below.

curl -I -L -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.28/api/me

I think this behaviour should be corrected as it may lead to

unexpected behaviour of apps.

Regards

On Wed, Apr 18, 2018 at 11:10 PM, Rangarirai Matavire

matavirer@gmail.com wrote:

Hi Devs,

I am wondering whether the behaviour I am seeing is a bug or

something to be expected due to some change.

When I run the following curl command:

curl -I -u admin:distric -H ‘Accept: application/json’

https://play.dhis2.org/2.29/api/me

I get an HTTP 302 response. Note that I have deliberately set the

password wrong so I can mock a 401 unauthorized response. I get the same

response when I run the command on version 2.28. However, as expected, when

I run it on 2.27, 2.26 etc I get a 401 HTTP response.

I hope someone can assist.

Regards,

Ranga


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049

Jason P. Pickering

email: jason.p.pickering@gmail.com

tel:+46764147049


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049

Jason P. Pickering
email: jason.p.pickering@gmail.com
tel:+46764147049