-
|
Hi everyone, I'm a bit lost about how the API works. Last year (Lychee 4.7.1) I had to generate a USER API TOKEN (for cross-site by pass) then login with Session::login and store the authentication in a cookie that I had to give back to all further query Photo::add, etc. This year (Lychee 5.1.2) I have observed two weird fact : Ex of working command: Given that try to Session::login without API TOKEN does not work (I get the famous "Session expired" answer... not the most explicite error message by the way). My questions are :
Thanks in advance for your answers and to the developper to the global great work and animation of the github ! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
Yes. with version 5, you should also notice that the buttons for the token, password, U2F etc are moved to a profile page. The code used of the authentication is here:
Okay THAT IS A BUG.
Yeah it is because of the CSRF verification. :| |
Beta Was this translation helpful? Give feedback.
-
|
I guess you will find something around here: :)
Cooool 😲
That's because you can do it another way:
The API token is skipping the CSRF verification and doing Auth at the same time. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks a lot for your answer. curl --request POST --url https://MYURL/api/Session::init --header 'Accept: application/json' --header 'Content-Type: application/json' --data '{}' --cookie-jar lychee_cookie I had not seen, but indeed the lychee_cookie file contains a XSRF-TOKEN But when I try curl --request POST --url https://MYURL/api/Session::login --header 'Accept: application/json' --header 'Content-Type: application/json' --cookie lychee_cookie --data '{ "username":"agademer", "password":"XXXX"}' it does not work. How am I supposed to sent the XSRF token back to the server ? |
Beta Was this translation helpful? Give feedback.
-
|
As an additional header field. : curl --request POST --url https://myurl/api/Session::login --header 'Accept: application/json' --header 'Content-Type: application/json' --header 'X-XSRF-TOKEN: token_value' --cookie lychee_cookie --data '{ "username":"agademer", "password":"XXXX"}'Do note that the token may have some encoding problems. This is our code in the JS part: /**
* Returns the value of the XSRF token if it exists in a cookie.
*
* Inspired by https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie#example_2_get_a_sample_cookie_named_test2
*/
static get #XsrfToken(): string | null {
const cookie = document.cookie.split(";").find((row) => /^\s*(X-)?[XC]SRF-TOKEN\s*=/.test(row));
// We must remove all '%3D' from the end of the string.
// Background:
// The actual binary value of the CSFR value is encoded in Base64.
// If the length of original, binary value is not a multiple of 3 bytes,
// the encoding gets padded with `=` on the right; i.e. there might be
// zero, one or two `=` at the end of the encoded value.
// If the value is sent from the server to the client as part of a cookie,
// the `=` character is URL-encoded as `%3D`, because `=` is already used
// to separate a cookie key from its value.
// When we send back the value to the server as part of an AJAX request,
// Laravel expects an unpadded value.
// Hence, we must remove the `%3D`.
return cookie ? cookie.split("=")[1].trim().replace(/%3D/g, "") : null;
} |
Beta Was this translation helpful? Give feedback.
-
|
Ok. 1/ Thanks for pointing that I needed to remove the %3D at the end I feel that it would be so much simpler (user wise) to reread the info from the cookie.... I don't understand why it's not the case (developer wise) but I image it is complicated 😛 . For the moment I'll stick with User token. Much easier user wise.
do achieve the same task. |
Beta Was this translation helpful? Give feedback.
Ok.
What works (for me)