Anomalous API results

Ryan_NR · June 22, 2020, 3:26pm

Howdy!

I’m trying to run an API call to create a new topic. Discourse API Docs

Using Postman I am sending in the API Key / Username / Content-Type as Headers, and JSON data in the body.

I have verified the API Username and Key are correct, but, the API call returns the HTML of our sign in page.

Is this expected? How can I work around that?

Falco · June 22, 2020, 4:35pm

Can you please paste the cURL version of the API call you are trying to make?

Ryan_NR · June 23, 2020, 7:05am

Sure…

curl -X POST 'https://staging-discuss.newrelic.com/posts.json' \
     -H 'Api-Username: RyanVeitch' -i \
     -H 'Api-Key: My-API-Key' -i \
     -H 'Content-Type: application/json' \
     -d \
'{
    "title": "My fancy title",
    "raw": "Some random text to fill my topic",
    "category": 212,
    "created_at": "2020-06-22"
}'

In the terminal I get this output:

HTTP/1.1 307 Temporary Redirect
Proxied-By: Service Gateway
Strict-Transport-Security: max-age=31536000; includeSubDomains
Location: https://staging-login.newrelic.com/login?return_to=https%3A%2F%2Fstaging-discuss.newrelic.com%2Fposts.json
content-type: text/plain;charset=UTF-8
content-length: 138

Redirecting to a different URI: https://staging-login.newrelic.com/login?return_to=https%3A%2F%2Fstaging-discuss.newrelic.com%2Fposts.json%

Ryan_NR · June 23, 2020, 3:36pm

Let me know if you need anything else from my side to help in troubleshooting

Falco · June 23, 2020, 5:16pm

Appears that you have a very custom setup with a proxy in the middle.

That is not standard Discourse behavior, so it looks like this is caused by your special proxy thing.

Maybe there is a special Header you can send to bypass the proxy? Gotta check with that product docs.

Ryan_NR · June 24, 2020, 6:45am

Cool! Thanks @Falco - I’ll dig in with our dev team

Ryan_NR · June 25, 2020, 9:31am

Hey @Falco - I managed to get through the proxy but I’m now being hit by 403 BAD CSRF Errors.

I see this thread seems kinda unfinished…

Do you have any thoughts on how to beat these errors?

blake · June 25, 2020, 3:37pm

I just tested your example curl command locally and it is working fine for me so the syntax is all correct. Is is possible the proxy is stripping some headers? That could be why you are getting the BAD CSRF errors because it can no longer read/access the api credentials.

Ryan_NR · June 25, 2020, 3:51pm

Thanks @blake

Our proxy is fully custom in house built and it’s a front layer to the public.

I’m VPN’d into our internal network & I’m not hitting the public URL, I’m hitting the backend (behind proxy) URL, so, the requests shouldn’t be going through the proxy.

Our staging discourse instance is v 2.3.10

Does the API behave differently on that version?

blake · June 25, 2020, 4:09pm

Nope, v2.3.10 still has all the header based auth stuff so it shouldn’t behave any different.

You are hitting this line:

github.com/discourse/discourse

app/controllers/application_controller.rb

632ef306e


      
          protect_from_forgery
          
          # Default Rails 3.2 lets the request through with a blank session
          #  we are being more pedantic here and nulling session / current_user
          #  and then raising a CSRF exception
          def handle_unverified_request
            # NOTE: API key is secret, having it invalidates the need for a CSRF token
            unless is_api? || is_user_api?
              super
              clear_current_user
              render plain: "[\"BAD CSRF\"]", status: 403
            end
          end
          
          before_action :check_readonly_mode
          before_action :handle_theme
          before_action :set_current_user_for_logs
          before_action :clear_notifications
          before_action :set_locale
          before_action :set_mobile_view
          before_action :block_if_readonly_mode

which means your request is malformed in some way and it can’t detect that it is an api request.

blake · June 25, 2020, 4:25pm

Because this is a staging instance and not local you will have nginx or some other webserver running before it hits discourse. It’s possibly nginx is stripping some headers depending on your config. These may show up in the nginx logs.

This is the line where it reads the api credentials out of the request headers. You could also add some debug statements to this file to figure out if the headers are getting this far.

github.com/discourse/discourse

lib/auth/default_current_user_provider.rb

632ef306e


      
            if uid
              user = User.find_by(id: uid.to_i)
            end
            @env[CURRENT_USER_KEY] = user
            return user
          end
          
          request = @request
          
          user_api_key = @env[USER_API_KEY]
          api_key = @env.blank? ? nil : @env[HEADER_API_KEY] || request[API_KEY]
          
          auth_token = request.cookies[TOKEN_COOKIE] unless user_api_key || api_key
          
          current_user = nil
          
          if auth_token && auth_token.length == 32
            limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN , 60)
          
            if limiter.can_perform?
              @user_token = UserAuthToken.lookup(auth_token,

Ryan_NR · June 25, 2020, 5:07pm

@blake

Thanks! I’ll take this up with our dev team

Appreciate your help

system · July 25, 2020, 5:07pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't verify CSRF token authenticity while creating topics Dev rest-api	1	1154	November 4, 2022
Issue with Api Dev	1	886	August 16, 2022
Discourse admin login throws 403 ["BAD CSRF"] error Support	5	1706	September 15, 2020
'BAD CSRF' while creating a new post Support	2	1845	May 23, 2020
Improve BAD CSRF error message when making API calls with content-type application/json Dev	4	4253	September 14, 2020

Anomalous API results

Related topics