API: 403 Forbidden for user creation only

Hi,

I’m getting a 403 for the user creation endpoint whereas other protected endpoints return 200s.

Client (pydiscourse)

In [11]: discourse.create_user('foo bar', 'foobar', 'foobar@foo.com', 'defaultpassword')
2018-09-27 15:38:41 | DEBUG | Starting new HTTPS connection (1): discourse-dev.XXX.com:443
2018-09-27 15:38:41 | DEBUG | https://discourse-dev.XXX.com:443 "GET /users/hp.json?api_key=2228002d86c556d8e266096a27b53d1c7608cbb53b3f245cfdbf91f7314b8461&api_username=system HTTP/1.1" 200 None
2018-09-27 15:38:41 | DEBUG | response 200: '{"value":"decdeb7a874034c","challenge":"08e2f6c5de01c700a49fa8e52b6a371f"}'
2018-09-27 15:38:41 | DEBUG | Starting new HTTPS connection (1): discourse-dev.XXX.com:443
2018-09-27 15:38:41 | DEBUG | https://discourse-dev.XXX.com:443 "POST /users?name=foo+bar&username=foobar&email=foobar%40foo.com&password=defaultpassword&password_confirmation=decdeb7a874034c&challenge=f173a6b25e8af94a007c10ed5c6f2e80&api_key=2228002d86c556d8e266096a27b53d1c7608cbb53b3f245cfdbf91f7314b8461&api_username=system HTTP/1.1" 403 None
2018-09-27 15:38:41 | DEBUG | response 403: ''

Server (production.log)

Started GET "/users/hp.json?api_key=[FILTERED]&api_username=system" for 129.xxx.xxx.xxx at 2018-09-27 13:38:41 +0000
Processing by UsersController#get_honeypot_value as JSON
  Parameters: {"api_key"=>"[FILTERED]", "api_username"=>"system"}
Completed 200 OK in 13ms (Views: 0.4ms | ActiveRecord: 2.7ms)
Started POST "/users?name=foo+bar&username=foobar&email=foobar%40foo.com&password=[FILTERED]&password_confirmation=[FILTERED]&challenge=f173a6b25e8af94a007c10ed5c6f2e80&api_key=[FILTERED]&api_username=system" for 129.xxx.xxx.xxx at 2018-09-27 13:38:41 +0000
Processing by UsersController#create as */*
  Parameters: {"name"=>"foo bar", "username"=>"foobar", "email"=>"foobar@foo.com", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]", "challenge"=>"f173a6b25e8af94a007c10ed5c6f2e80", "api_key"=>"[FILTERED]", "api_username"=>"system"}
  Rendering text template
  Rendered text template (0.0ms)
Completed 403 Forbidden in 23ms (Views: 0.8ms | ActiveRecord: 7.8ms)

Why do I get a 403 while other admin-protected endpoints such as /admin/users/list/active.json returns a 200 ? What can be the deeper cause of that?

Notes:

I narrowed the problem down to the accept local logins setting, which was set to false. So the API is acting accordingly.

3 Likes