Triggering a backup via admin API causes the api_key to become only valid for system user

supermathie · January 12, 2018, 5:00pm

Before:

Reproduction:

$ api_key=340496f95ab2f28cc45f575cbfcc28edd10db076beb1139da14b3fa80bb23dd2
$ curl -XPOST -H 'Content-Type: application/json' "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=michael" -d '{ "with_uploads": true }'
{"success":"OK"}
$ curl "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=michael"
(HTML error page as I'm in development mode)
$ curl "http://discoursedev:3000/admin/backups.json?api_key=$api_key&api_username=system"
[{"filename":"discourse-2018-01-12-112341-v20180111092141.sql.gz","size":3216556,"link":"//discourse/admin/backups/discourse-2018-01-12-112341-v20180111092141.sql.gz"}]

After:

sam · January 14, 2018, 9:48pm

Can you look at the underlying table, before and after?

bin/rails c
> ApiKey.all

supermathie · January 15, 2018, 4:23pm

Before

[4] pry(main)> ApiKey.all
  ApiKey Load (0.4ms)  SELECT "api_keys".* FROM "api_keys"
=> [#<ApiKey:0x0000000d615e38
  id: 3,
  key: "scoobydoowhereareyou",
  user_id: nil,
  created_by_id: -1,
  created_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  updated_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  allowed_ips: nil,
  hidden: false>]

Operation

○ → curl -XPOST -H 'Content-Type: application/json' \
  "http://discoursedev:3000/admin/backups.json?api_key=scoobydoowhereareyou&api_username=michael" \
  -d '{ "with_uploads": true }'
{"success":"OK"}

After

[5] pry(main)> ApiKey.all
  ApiKey Load (0.3ms)  SELECT "api_keys".* FROM "api_keys"
=> [#<ApiKey:0x000000064318d0
  id: 3,
  key: "scoobydoowhereareyou",
  user_id: -1,
  created_by_id: -1,
  created_at: Mon, 15 Jan 2018 16:20:10 UTC +00:00,
  updated_at: Mon, 15 Jan 2018 16:20:31 UTC +00:00,
  allowed_ips: nil,
  hidden: false>]

codinghorror · July 9, 2018, 7:34am

How urgent is this to fix @supermathie? I’m unclear who this bug affects?

supermathie · July 9, 2018, 1:45pm

It’s likely not urgent to fix (I only came across it by accident), but it concern me that the codepath has an unintended side effect of modifying the API key used to access it.

sam · July 10, 2018, 1:45am

Maybe @zogstrip can have a quick look here, my guess is that something about the restore process may be fussing with api keys post restore.

zogstrip · July 10, 2018, 6:06am

I don’t think it’s related to the restore process since @supermathie is just doing a backup

But yeah, I’ll have a look.

gerhard · September 4, 2018, 11:32pm

I gave it a quick try since I was working on backups. I can’t reproduce it. I’m closing it for now.

Topic		Replies	Views
Generate/Regenerate api_key for a user API not working dev rest-api	5	763	January 5, 2020
'/admin/users/{id}/log_out.json' is not working dev rest-api	15	824	September 6, 2023
Invalid Access using Global Key on All users dev rest-api	3	831	December 29, 2020
Access via Discourse API, key and/or user rejected dev rest-api	2	443	December 1, 2023
User API keys: duplicate client_id will lead to internal server error bug rest-api	4	695	February 15, 2024

Triggering a backup via admin API causes the api_key to become only valid for system user

Before

Operation

After

Related Topics