Anomalous API results

Ryan_NR · June 22, 2020, 3:26pm

Howdy!

I’m trying to run an API call to create a new topic. Discourse API Docs

Using Postman I am sending in the API Key / Username / Content-Type as Headers, and JSON data in the body.

I have verified the API Username and Key are correct, but, the API call returns the HTML of our sign in page.

Is this expected? How can I work around that?

Falco · June 22, 2020, 4:35pm

Can you please paste the cURL version of the API call you are trying to make?

Ryan_NR · June 23, 2020, 7:05am

Sure…

curl -X POST 'https://staging-discuss.newrelic.com/posts.json' \
     -H 'Api-Username: RyanVeitch' -i \
     -H 'Api-Key: My-API-Key' -i \
     -H 'Content-Type: application/json' \
     -d \
'{
    "title": "My fancy title",
    "raw": "Some random text to fill my topic",
    "category": 212,
    "created_at": "2020-06-22"
}'

In the terminal I get this output:

HTTP/1.1 307 Temporary Redirect
Proxied-By: Service Gateway
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://staging-login.newrelic.com/login?return_to=https%3A%2F%2Fstaging-discuss.newrelic.com%2Fposts.json
content-type: text/plain;charset=UTF-8
content-length: 138

Redirecting to a different URI: https://staging-login.newrelic.com/login?return_to=https%3A%2F%2Fstaging-discuss.newrelic.com%2Fposts.json%

Ryan_NR · June 23, 2020, 3:36pm

Let me know if you need anything else from my side to help in troubleshooting

Falco · June 24, 2020, 6:45am

Appears that you have a very custom setup with a proxy in the middle.

That is not standard Discourse behavior, so it looks like this is caused by your special proxy thing.

Maybe there is a special Header you can send to bypass the proxy? Gotta check with that product docs.

Ryan_NR · June 24, 2020, 6:45am

Cool! Thanks @Falco - I’ll dig in with our dev team

Ryan_NR · June 25, 2020, 9:31am

Hey @Falco - I managed to get through the proxy but I’m now being hit by 403 BAD CSRF Errors.

I see this thread seems kinda unfinished…

Do you have any thoughts on how to beat these errors?

blake · June 25, 2020, 3:37pm

I just tested your example curl command locally and it is working fine for me so the syntax is all correct. Is is possible the proxy is stripping some headers? That could be why you are getting the BAD CSRF errors because it can no longer read/access the api credentials.

Ryan_NR · June 25, 2020, 3:51pm

Thanks @blake

Our proxy is fully custom in house built and it’s a front layer to the public.

I’m VPN’d into our internal network & I’m not hitting the public URL, I’m hitting the backend (behind proxy) URL, so, the requests shouldn’t be going through the proxy.

Our staging discourse instance is v 2.3.10

Does the API behave differently on that version?

blake · June 25, 2020, 4:09pm

Nope, v2.3.10 still has all the header based auth stuff so it shouldn’t behave any different.

You are hitting this line:

github.com

discourse/discourse/blob/632ef306e20c8857c23795baabe05a7617c490a1/app/controllers/application_controller.rb#L41


protect_from_forgery

# Default Rails 3.2 lets the request through with a blank session
#  we are being more pedantic here and nulling session / current_user
#  and then raising a CSRF exception
def handle_unverified_request
  # NOTE: API key is secret, having it invalidates the need for a CSRF token
  unless is_api? || is_user_api?
    super
    clear_current_user
    render plain: "[\"BAD CSRF\"]", status: 403
  end
end

before_action :check_readonly_mode
before_action :handle_theme
before_action :set_current_user_for_logs
before_action :clear_notifications
before_action :set_locale
before_action :set_mobile_view
before_action :block_if_readonly_mode

which means your request is malformed in some way and it can’t detect that it is an api request.

blake · June 25, 2020, 4:25pm

Because this is a staging instance and not local you will have nginx or some other webserver running before it hits discourse. It’s possibly nginx is stripping some headers depending on your config. These may show up in the nginx logs.

This is the line where it reads the api credentials out of the request headers. You could also add some debug statements to this file to figure out if the headers are getting this far.

github.com

discourse/discourse/blob/632ef306e20c8857c23795baabe05a7617c490a1/lib/auth/default_current_user_provider.rb#L48


  if uid
    user = User.find_by(id: uid.to_i)
  end
  @env[CURRENT_USER_KEY] = user
  return user
end

request = @request

user_api_key = @env[USER_API_KEY]
api_key = @env.blank? ? nil : @env[HEADER_API_KEY] || request[API_KEY]

auth_token = request.cookies[TOKEN_COOKIE] unless user_api_key || api_key

current_user = nil

if auth_token && auth_token.length == 32
  limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN , 60)

  if limiter.can_perform?
    @user_token = UserAuthToken.lookup(auth_token,

Ryan_NR · June 25, 2020, 5:07pm

@blake

Thanks! I’ll take this up with our dev team

Appreciate your help

system · July 25, 2020, 5:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.