'Invalid access' when using API


(Volkan Unsal) #1

I have been trying to make an API request through the Discourse gem, but it keeps returning

[error: ‘invalid access’]

I checked everything. My API key is correct and so is the username. I don’t see anything in the logs.

(Arpit Jalan) #2

I just checked sending invites through Discourse API, and it works perfectly fine for me.

Are you testing this locally or on your live Discourse instance? Did you updated the url in case you’re testing this on your live Discourse instance:

client = DiscourseApi::Client.new("http://localhost:3000")

(Volkan Unsal) #3

I should have made it clear that it does work for me on localhost:3000. It’s only when I deploy it to production and use that url that it breaks. Not sure if it has to do with the fact that it’s in production mode or something else.

(Sam Saffron) #4

There must be something in /logs

(Volkan Unsal) #5

The only thing I could find in the logs is a single line saying
Discourse::InvalidAccess was raised. I think it’s coming from the
application_controller.rb. But I couldn’t trace it further than that.

(Volkan Unsal) #6

I think this is the line where the error is caught:

(Sam Saffron) #7

InvalidAccess means you are trying to do something your are not allowed to.

Make sure

  1. You set api_key
  2. You set api_username

(Volkan Unsal) #8

I may be wrong about that error. Here is the exact log output:

Processing by SearchController#query as JSON
    Parameters: {"api_key"=>"<correct api key>", "api_username"=>"<correct username>", "term"=>{"term"=>"meta"}}
    Rendered text template (0.0ms)
  Completed 403 Forbidden in 6ms (Views: 1.0ms | ActiveRecord: 1.1ms)

(Sam Saffron) #9

Try generating a new api_key, a global one.

(Volkan Unsal) #10

I just did it again. Not working. I can send you a the API key if you want to try it out. I don’t want to paste it on a public forum.

[6] pry(main)> require "discourse_api";client = DiscourseApi::Client.new("http://community.edori.org", "...", "volkanunsal"); client.search(term: "meta")
DiscourseApi::Error: 399: unexpected token at 'error: 'invalid access']'
from /Users/newuser/.rvm/gems/ruby-2.0.0-p247@wish/bundler/gems/discourse_api-27735e3e682b/lib/discourse_api/client.rb:76:in `rescue in request'

(Sam Saffron) #11

Look at /logs, in the env tab, do you see username and api key there

(Volkan Unsal) #12

I don’t see an env tab on the /logs page. I see info tab and backtrace. And no the API key is not there.

(Sam Saffron) #13

You need to click on a row … any of the csrf rows will do.

(Volkan Unsal) #14

Ah, got it. Yes, I do see the env tab, and I see my username and token there as well. That’s not a recent request though. It looks like this log hasn’t been updated since yesterday.

(Nick Grossman) #15

I am getting started w a discourse install and am having the exact same problem

I have generated a new API key (and regenerated it a few times to check that), am passing in the api_key and api_username (the username is an admin account), and am hitting the API both from the command line (curl) and via a separate python web app.

In every case, I’m getting the InvalidAccess error – at the moment I am trying to hit the /users endpoint to create a new user. To use the example from the docs:

curl -X POST --data "name=dave&username=dave&email=dave@example.com&password=P@ssword&active=true&api_username=admin" http://localhost:3000/users?api_key=[my-api-key]

Any suggestions on how to debug this?

Many thanks

(Kane York) #16

Signing up a new user is intentionally hard to script externally. I suggest you either do the signup from a web browser, if it’s just a few accounts, or from an import script.

(Nick Grossman) #17

We are considering a migration, so I was exploring how to do that.

Our first plan was to write a script on our existing app that pushed all of our users in via the API.

Sounds like you’re suggesting doing the scripting directly in the rails app? Since I’m new to the codebase I’m not sure exactly where to start w that.


(Kane York) #18

Check out the script/import_scripts directory :slight_smile:

(Nick Grossman) #19

Excellent, thanks …

(Nick Grossman) #20

On it being “intentionally hard” – I sort of get that, but this appears to be available via the API, but then also disabled via internal checks? If so, I would encourage you to update the documentation so that it’s clearer that you can’t create new users via API.