Using Discourse API to return user data when the "Require authentication to read content on this site, disallow anonymous access." setting is checked

Hi,

I enabled the setting “Require authentication to read content on this site, disallow anonymous access”.

I’m making a GET request to the /users/by-external/{EXTERNAL_ID}.json endpoint, and without the above setting enabled, it returns a user perfectly fine. But when I enable the above setting, the GET request returns nothing.

For reference, I have SSO enabled.

Let me know if there’s a workaround or if I’m thinking about this incorrectly.
Thanks in advance!

Also seeing this.

Without knowing how Discourse wants to handle this, it seems like an /admin/users/external/{EXTERNAL.ID}/log_out function would be good to have so you could logout a user by their external ID.

(I’m not a ruby expert so I don’t feel comfortable submitting a pull request for this one)

3 Likes

You’ll need to authenticate/log in to make that request. One way to authenticate is to supply a api_key and api_username, which sounds like what you want here. (The other way is to store Cookies.)

1 Like

Thanks for getting back to me @riking. I’ve been authenticating for the log out call, since it’s a POST request so I can send the api_key and api_username in the request body. Since this call (/users/by-external/{EXTERNAL_ID}.json) is a GET request, it doesn’t make sense to send those in the request body. I tried sending them as a header in the GET request but it wasn’t working. Does this sound like it might be a bug?

Put them in as GET parameters. ?api_key=asfjkdla&api_username=system.

3 Likes

Wouldn’t that be a security vulnerability?


If the request is submitted over HTTPS, the only logging occurs on the server-side, which knows the key anyways.

You can mitigate by creating a new admin user and generating an API key for them, then always using that as the username.

Closing this. API credentials are now passed in through http headers.

5 Likes