Is the documentation for authentication up to date? I need cookies to login via username&password

DSpace / RestContract

REST Contract for DSpace 7-8

https://wiki.lyrasis.org/display/DSDOC8x/

37 stars 48 forks source link

Is the documentation for authentication up to date? I need cookies to login via username&password #209

Closed MW3000 closed 1 year ago

MW3000 commented 1 year ago

The authentication.md document suggests the following to login via username&password:

curl -v -X POST https://{dspace-server.url}/server/api/authn/login --data "user=dspacedemo%2Badmin%40gmail.com&password=dspace" -H "X-XSRF-TOKEN: {csrf-token}"

This method fails every time. I found, the only way to login is to also send the XSRF cookie, like this:

curl -v -X POST https://{dspace-server.url}/server/api/authn/login --data "user=dspacedemo%2Badmin%40gmail.com&password=dspace" -H "X-XSRF-TOKEN: {csrf-token}" -b "DSPACE-XSRF-COOKIE={xsrf-cookie}"

If this is correct, and the cookie is needed, it should be documented in authentication.md I found the necessity to send the cookie also documented in a comment on the wiki: https://wiki.lyrasis.org/display/DSPACE/REST+Authentication?focusedCommentId=230828636#comment-230828636

alanorth commented 1 year ago

@MW3000 you are totally right. I'm trying this today on DSpace 7.5-SNAPSHOT and it works. I was scratching my head on this for weeks!

tdonohue commented 1 year ago

@MW3000 or @alanorth : Would one of you be kind enough to create a small PR to update these REST docs? I also think you are correct, but I haven't had a chance to dig into this at all.

But, I do recall that CSRF/XSRF protection requires sending both a Cookie and a Http Header, as that's simply how it works. See https://github.com/DSpace/RestContract/blob/main/csrf-tokens.md

alanorth commented 1 year ago

@tdonohue sure, I can do it. I just noticed that the DSpace 7 installation docs allude to this in the troubleshooting section:

DSpace's CSRF protection relies on the client (User Interface) being able to return both a valid DSPACE-XSRF-COOKIE cookie and a matching X-XSRF-TOKEN header back to the REST API for validation. See our REST Contract for more details https://github.com/DSpace/RestContract/blob/main/csrf-tokens.md

tdonohue commented 1 year ago

Thanks @alanorth ! Yes, correct. I think we just never updated the examples in the authentication.md page. :)

Feel free to assign me as a reviewer once the PR is ready, and I'll move it along quickly