search

Part-DB / Part-DB-server

Part-DB is an Open source inventory management system for your electronic components
https://docs.part-db.de/
GNU Affero General Public License v3.0
782 stars 88 forks source link

Usage of API token will logout the web frontend #637

Closed whc2001 closed 2 weeks ago

whc2001 commented 2 weeks ago

Describe the bug When using the WebUI and the API token from the same user at the same time, the request with API token will invalidate the WebUI's current login state.

To Reproduce Steps to reproduce the behavior:

  1. Create an API token from the current user
  2. Access the API interactive documentation page and authenticate with the generated API token
  3. Validate that WebUI is working fine
  4. Send any request with API interactive documentation page (here I tried GET /api/parts)
  5. Go back to WebUI and do any navigation (even clicking the top left link to home page), will be redirected to login page with warning Access denied! Please log in to continue.

Expected behavior WebUI and API token access should be simultaneous without mutual exclusion.

Screenshots image

Server Side

Desktop (please complete the following information):

Additional context This could be circumvented by creating another user, create an API token there then set an unreasonably long password so that it's basically unloginable manually (User disabled (no login possible) cannot be used since it will also disable API token access). However I still think this might be a bug.

jbtronics commented 2 weeks ago

I dont think there is an easy fix for this, as we need the session, and the symfony authentication mechanism resets the session every time when a new authentication occurs. (And sending an API request with the API token is such a authentication).

But I am not really sure if that it is really a problem. If you want to try out the API endpoints using the web ui, you do not need the API token authentications. They will respond just fine, even without the token set, as they use your existing authentication.

And in API applications, where you need the API token for authentication, you have a seperate session context, where using the API token authentication is not affecting the WebUI in the browser.

whc2001 commented 2 weeks ago

Ahh sorry and nevermind, seems like it's the interactive documentation causing the problem. I have tried again with curl and seems like the problem went away.