Starting on March 24th, there seems to have been a change in the way the Discourse API responds to requests.
No code changes have been made on our end, and the Api-Key is still valid, but one of our backend services that attempts to get user info started failing when hitting the users/by-external/{id}.json
We send the Api-Key and Api-Username headers with these requests, which should be required, per the documentation. These requests have been working fine for years.
Now, all requests made to this endpoint fail with a 403, and the response body:
{
"errors": [
"You are not permitted to view the requested resource."
],
"error_type": "invalid_access"
}
This also happens if I try to request /u/{username}.json
Amazingly, when I do NOT send the headers, these requests which according to the docs require these authentication headers actually responds with the requested data, as though it were authenticated.
I’ve also tried sending and incorrect Api-Key, and the responds with a slightly different message:
{
"errors": [
"You are not permitted to view the requested resource. The API username or key is invalid."
],
"error_type": "invalid_access"
}
This tells me that the key is being accepted, but erroneously reports that it does not grant access to the resource, while granting unauthenticated requests full access.
I also just tested with a brand new Api-Key with all-users / global options, and I get the same results.